[Openswan Users] Just 2 questions
Paul Wouters
paul at xelerance.com
Mon Aug 22 19:30:05 CEST 2005
On Mon, 22 Aug 2005, Vincent Schultz wrote:
> Aug 22 14:02:23 sgw1 ipsec__plutorun: ...could not start conn
> "sgw1-sgw2"
>
> But If I ping the client in the second LAN form the first LAN, it works
> and I have only ESP traffic between the 2 secure gateways. So what does
> "could not start sgw1-sgw2" mean ?
The most common reason: you have right=%any, so you cannot initiate, but
the other end initiates, and then you respond and the tunnel comes up anyway.
Using auto=add instead of auto=start should fix that.
> iptables -t filter -A OUTPUT -o eth0 -s 152.18.31.45 -d 152.18.31.74 -p
> udp --sport 500 --dport 500 -j ACCEPT
> iptables -t filter -A INPUT -i eth0 -s 152.18.31.74 -d 152.18.31.45 -p
> udp --sport 500 --dport 500 -j ACCEPT
You are missing rules for udp 4500 (IKE with NAT-T). Remember the source
port for these are mostly not 4500 but a random high port.
> # ESP
> iptables -t filter -A INPUT -i eth0 -s 152.18.31.74 -p esp -j ACCEPT
>
> # Allow ICMP
> iptables -A FORWARD -i vmnet1 -o eth0 -p icmp -s 10.10.45.0/24 -d
> 172.30.15.0/24 -j ACCEPT
> iptables -A FORWARD -i eth0 -o vmnet1 -p icmp -s 172.30.15.0/24 -d
> 10.10.45.0/24 -j ACCEPT
>
> Why do I have not to set ESP OUTPUT ? only INPUT ? I don't understand
> that point and the iptables logs don't show anything ...
You might have a default outgoing policy of accept ?
Paul
More information about the Users
mailing list