[Openswan Users] Iptables blocks re-incoming esp pakets, but the connection is established from client to server

foren titze foren.titze at gmx.net
Tue Aug 30 10:09:10 CEST 2005


hello users,

I have set up an Linux Linux Ipsec Tunnel. The connection is established. But 
if I try to ping or make an ssh into the subnet behind the gateway, I get an 
error message on the client side.
---
REJECT UDP IN=eth1 OUT= MAC= SRC=134.xxx.xxx.30 DST=134.147.130.127 LEN=242 
TOS=0x00 PREC=0x00 TTL=64 ID=2825 DF PROTO=UDP SPT=138 DPT=138 LEN=222 
REJECT UDP IN=eth1 OUT= MAC= SRC=134.xxx.xxx.30 DST=134.147.130.127 LEN=235 
TOS=0x00 PREC=0x00 TTL=64 ID=2826 DF PROTO=UDP SPT=138 DPT=138 LEN=215 
REJECT UDP IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:09:5c:8c:ce:08:00 
SRC=134.147.130.31 DST=134.147.130.127 LEN=229 TOS=0x00 PREC=0x00 TTL=128 
ID=31599 PROTO=UDP SPT=138 DPT=138 LEN=209 
REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00 
SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51 
ID=59249 PROTO=ESP SPI=0xcb7157b 
REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00 
SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51 
ID=59250 PROTO=ESP SPI=0xcb7157b 
REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00 
SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51 
ID=59251 PROTO=ESP SPI=0xcb7157b 
REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00 
SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51 
ID=59252 PROTO=ESP SPI=0xcb7157b 
---

I don't have allowed esp incoming client side, but there isn't the service 
Ipsec as on the gateway side.

What I have to do on the client firewall? Should I have to open ESP and Port 
500 for the gate-IP?

thx ben


More information about the Users mailing list