[Openswan Users]
foren titze
foren.titze at gmx.net
Tue Aug 30 11:28:39 CEST 2005
OK.
IPforward is enabled. I can ping if the firewall on the client side is down.
Then I try to open the Ports you give to me.
Am Dienstag, 30. August 2005 10:25 schrieb Sandor Geller:
> foren titze wrote:
> > hello users,
> >
> > I have set up an Linux Linux Ipsec Tunnel. The connection is established.
> > But if I try to ping or make an ssh into the subnet behind the gateway, I
> > get an error message on the client side.
>
> Is IP forwarding enabled on the gateway?
>
> > REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> > SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51
> > ID=59249 PROTO=ESP SPI=0xcb7157b
> > REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> > SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51
> > ID=59250 PROTO=ESP SPI=0xcb7157b
> > REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> > SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51
> > ID=59251 PROTO=ESP SPI=0xcb7157b
> > REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> > SRC=195.xxx.xxx.21 DST=134.xxx.xxx.30 LEN=152 TOS=0x00 PREC=0x00 TTL=51
> > ID=59252 PROTO=ESP SPI=0xcb7157b
>
> Your firewall config rejects ESP packets. Your tunnel(s) won't work when
> you reject the incoming packets.
>
> > What I have to do on the client firewall? Should I have to open ESP and
> > Port 500 for the gate-IP?
>
> You have to allow ESP protocol and UDP port 500 packets in your firewall
> config on BOTH sides. If you use AH then you have to enable the AH
> protocol too, and UDP 4500 when you use NAT-T.
More information about the Users
mailing list