[Openswan Users]

Sandor Geller wildy at balabit.hu
Tue Aug 30 11:25:59 CEST 2005


foren titze wrote:
> hello users,
> 
> I have set up an Linux Linux Ipsec Tunnel. The connection is established. But 
> if I try to ping or make an ssh into the subnet behind the gateway, I get an 
> error message on the client side.

Is IP forwarding enabled on the gateway?

> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00 
> SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51 
> ID=59249 PROTO=ESP SPI=0xcb7157b 
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00 
> SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51 
> ID=59250 PROTO=ESP SPI=0xcb7157b 
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00 
> SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51 
> ID=59251 PROTO=ESP SPI=0xcb7157b 
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00 
> SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51 
> ID=59252 PROTO=ESP SPI=0xcb7157b 

Your firewall config rejects ESP packets. Your tunnel(s) won't work when
you reject the incoming packets.

> What I have to do on the client firewall? Should I have to open ESP and Port 
> 500 for the gate-IP?

You have to allow ESP protocol and UDP port 500 packets in your firewall
config on BOTH sides. If you use AH then you have to enable the AH
protocol too, and UDP 4500 when you use NAT-T.

-- 
Sandor Geller
wildy at balabit.hu


More information about the Users mailing list