[Openswan Users] Just 2 questions
Vincent Schultz
vincent.schultz at wanadoo.fr
Mon Aug 22 23:22:57 CEST 2005
Hello,
Le lundi 22 août 2005 à 18:30 +0200, Paul Wouters a écrit :
> On Mon, 22 Aug 2005, Vincent Schultz wrote:
>
> > Aug 22 14:02:23 sgw1 ipsec__plutorun: ...could not start conn
> > "sgw1-sgw2"
> >
> > But If I ping the client in the second LAN form the first LAN, it works
> > and I have only ESP traffic between the 2 secure gateways. So what does
> > "could not start sgw1-sgw2" mean ?
>
> The most common reason: you have right=%any, so you cannot initiate, but
> the other end initiates, and then you respond and the tunnel comes up anyway.
> Using auto=add instead of auto=start should fix that.
Ok, thanks.
> > iptables -t filter -A OUTPUT -o eth0 -s 152.18.31.45 -d 152.18.31.74 -p
> > udp --sport 500 --dport 500 -j ACCEPT
> > iptables -t filter -A INPUT -i eth0 -s 152.18.31.74 -d 152.18.31.45 -p
> > udp --sport 500 --dport 500 -j ACCEPT
>
> You are missing rules for udp 4500 (IKE with NAT-T). Remember the source
> port for these are mostly not 4500 but a random high port.
Actually, my network is a network test in local, I do not have any NAT
device so no need to do Nat-T ... am i right ?
> > # ESP
> > iptables -t filter -A INPUT -i eth0 -s 152.18.31.74 -p esp -j ACCEPT
> >
> > # Allow ICMP
> > iptables -A FORWARD -i vmnet1 -o eth0 -p icmp -s 10.10.45.0/24 -d
> > 172.30.15.0/24 -j ACCEPT
> > iptables -A FORWARD -i eth0 -o vmnet1 -p icmp -s 172.30.15.0/24 -d
> > 10.10.45.0/24 -j ACCEPT
> >
> > Why do I have not to set ESP OUTPUT ? only INPUT ? I don't understand
> > that point and the iptables logs don't show anything ...
>
> You might have a default outgoing policy of accept ?
No no, that's the problem. I don't know where I did a mistake. Here is
my firewall script on the secure gateway 152.18.31.45 (the other one is
152.18.31.45) :
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
# Pour ISAKMP
iptables -t filter -A OUTPUT -o eth0 -s 152.18.31.45 -d 152.18.31.74 -p
udp --sport 500 --dport 500 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -s 152.18.31.74 -d 152.18.31.45 -p
udp --sport 500 --dport 500 -j ACCEPT
# Pour ESP
iptables -t filter -A INPUT -i eth0 -s 152.18.31.74 -p esp -j ACCEPT
# On autorise le ICMP
iptables -A FORWARD -i vmnet1 -o eth0 -p icmp -s 10.10.45.0/24 -d
172.30.15.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -o vmnet1 -p icmp -s 172.30.15.0/24 -d
10.10.45.0/24 -j ACCEPT
# Logs
iptables -t filter -A FORWARD -j LOG --log-prefix="Filter Tentative
FWD :"
iptables -t filter -A INPUT -j LOG --log-prefix="Filter Tentative
INPUT :"
iptables -t filter -A OUTPUT -j LOG --log-prefix="Filter Tentative
OUTPUT :"
... So the OUPUT policy is DROP ! I have no rule for OUTPUT ESP and the
log show nothing.
...
Chain OUTPUT (policy DROP 8 packets, 556 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * eth0 152.18.31.45
152.18.31.74 udp spt:500 dpt:500
8 556 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `Filter Tentative
OUTPUT :'
Thank you for your help,
Vincent
More information about the Users
mailing list