[Openswan Users] ping works connect to ports doesn't

Boróczki Lajos boroczki at math.bme.hu
Fri Aug 26 07:55:40 CEST 2005


Paul Wouters írta:
> On Thu, 25 Aug 2005, Boróczki Lajos wrote:
> 
>> I'm trying to set up an ipsec connection between openswan 2.2 and a 
>> d-link di-824vup+ wireless vpn router. I got this far: automatic 
>> keying works ok, I can ping from one of the subnets the other subnets' 
>> computers. The biggest packet's size was 4000bytes, I could send, 
>> bigger  packets didn't get through. But the strange thing is: I can 
>> open the admin port of the vpn router from my linux gateway (using 
>> netcat: nc -s 192.168.xxx.xxx 192.168.yyy.xxx 8080) But I cannot open 
>> that port, using a client computer on the linux gw's subnet.
> 
> 
> Run ipsec verify. Did you enable ip_forwarding? Are you MASQ/NATing packets
> from the LAN by accident?
> 
> Paul


Thanks for the answer. I have enabled ip_forwarding(it is a gateway 
through the Internet).
For NAT I use the following rules:
iptables -t nat -A POSTROUTING -d ! $localnet -j MASQUERADE
iptables -A FORWARD -s $localnet -d $localnet -j ACCEPT
(Where localnet is set to include both subnet's ip addresses.)

ipsec verify's output:

~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan U2.2.0/K2.6.8-2-386 (native)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets) 
[FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
Checking for 'setkey' command for native IPsec stack support            [OK]

Opportunistic Encryption DNS checks:
    Looking for TXT in forward dns zone: renimpexproxy 
  [MISSING]
renimpexproxy does not exist, try again
    Does the machine have at least one non-private address? 
  [OK]
    Looking for TXT in reverse dns zone: xxx.xxx.xxx.xxx.in-addr.arpa. 
   [MISSING]
xxx.xxx.xxx.xxx.in-addr.arpa TXT record currently not present

I think that's ok too (I use PSK authentication)

Thanks,
Lajos


More information about the Users mailing list