[Openswan Users] SuSE 9.2 Openswan

Thu Apr 28 13:13:46 CEST 2005

datasis at cantv.net wrote:
> Hi All,
> 
> I have 2 linux SuSE 9.2 boxes, used in diferent location like this:
> 
> LEFT  LAN -192.160.0.0/24 --- LEFT SUSE 9.2 BOX 192.168.0.218 <>
> 200.xxx.xxx.xxx FIXED EXT. IP 
> |
> INTERNET
> |
> RIGHT SUSE 9.2 BOX  201.xxx.xxx.xxx <> 192.168.1.2  FIXED EXTERNAL IP --
> RIGHT LAN  192.168.1.0/24
> 
> I made a net to net VPN conexion
> ipsec auto --up net2net
> 112 "net2net" #53: STATE_QUICK_I1: initiate
> 004 "net2net" #53: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x1565c5fc <0xc999dff7}
> 
> The problem is I can't see the pc from on internal lan to the other, can't
> ping. 
> 
> Do you think the problem is in the firewall?
> 

Sounds a lot like the problem I had. In the end I put in:
   FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
and in /etc/sysconfig/scripts/SuSEfirewall2-custom:

fw_custom_before_denyall() {
# some comments skipped ...

   iptables -t nat -I POSTROUTING -s 192.168.37.0/24 -d 192.168.0.0/24 -j ACCEPT

   true
}

Which gives me the ACCEPT line in:

# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.37.0/24      192.168.0.0/24
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The trick seems to be that before that the traffic for the other site
got MASQ'd before it could be encapsulated, so my ISP got packets
seemingly from my public IP destined to 192.168.0.0/24 which it
dropped of course.

Bram