R: [Openswan Users] OpensWan and Iptables

Giovanni gio_ton at tiscali.it
Thu Oct 28 00:56:18 CEST 2004 

I did modifications on my firewall and now it operates almost well. There
are two problems:

First of all , the firewall drop all requests which are destined to private
ip of my firewall/openswan while it operates perfectly for those which are
destined to all other addresses of the same network .

Secondly, I can't active a "natted" pc. It operates perfectly only if the
client isn't natted.

The error message is:"“cannont respond ipsec because no connection is know
for i plan priv== i plan public”.

At the moment my configuration server in ipsec.conf is the following:

config setup

            interfaces=”ipsec0=eth2”

            forwardcontrol=yes

            klipsdebug=all

            nat_traversal=yes

            plutodebug=none

            uniqueids=yes

            virtual_private=%v4:172.16.0.0/12

 

conn prova

            auto=add

            authbt=rsasig

            left=ip public server vpn

            leftsubnet=network private

            leftid=myid

            leftcert=mycert

            right=ip of pubblic client address

            rightid=myid

            rightcert=mycert

            pfs=yes

            keyingtries=3

 

thanks to all for the support

 

 

  _____  

Da: Giovanni [mailto:gio_ton at tiscali.it] 
Inviato: mercoledì 27 ottobre 2004 1.31
A: 'users at openswan.org'
Oggetto: R: [Openswan Users] OpensWan and Iptables

 

Now works very well!!!

Thanks again

 

 

 

Hi 

This should give you an idea:

 [ #Allow IKE ]

# Allow ESP Traffic from/to Gateway
iptables -A INPUT -i $EXTERNAL_INTERFACE -p esp -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p esp -j ACCEPT

# Tag Incoming IPSec Traffic. 'mark' sticks after processing.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -p esp -j MARK
--set-mark 1

# Forward Authenticated Traffic to LAN.
iptables -A FORWARD -i $EXTERNAL_INTERFACE -m mark --mark 1 -d
$LAN_ADDRESSES -j ACCEPT 

 

# Allow established connections to communicate back.

iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state
--state ESTABLISHED,RELATED -j ACCEPT

 

# SRC nat everything apart from esp traffic.

iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p ! esp -j SNAT
--to-source $EXTERNAL_IPADDR 

 

I hope this helps.

 

Cheers,

Daniel.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041027/a0e8143a/attachment-0001.htm

More information about the Users mailing list