[Openswan Users] net-to-net cannot ping
rp
rewt at enternet.hu
Wed Aug 31 04:51:25 CEST 2005
dear list,
i have a pretty straightforward setup on debian sarge, kernel 2.6.12, openswan
ver 2.2.0-8.
192.168.249.0/24===1.2.3.4[@gw]---208.57.234.1...208.57.234.1---5.6.7.8[@gw2]===192.168.248.0/24
conn net-to-net
left=1.2.3.4
leftsubnet=192.168.249.0/24
leftid=@gw
leftrsasigkey=0sAQOOC3WHMwGDaNt6HzIL7Bk+VDY7KxcgyU/0/0sJyEsWPpoatGQ4a8msKKy
leftnexthop=%defaultroute
right=5.6.8.7
rightsubnet=192.168.248.0/24
rightid=@gw2
rightrsasigkey=0sAQNyrnIlNBK1xAb66Bzwxymn+9kUmSkIQ+QWhVVcXBTJEdB5rqKLMZ+JmP
rightnexthop=%defaultroute
auto=start
the logs says:
Aug 30 18:11:40 gw ipsec__plutorun: Starting Pluto subsystem...
Aug 30 18:11:40 gw pluto[2771]: Starting Pluto (Openswan Version 2.2.0
X.509-1.5.4 PLUTO_USES_KEYRR)
Aug 30 18:11:40 gw pluto[2771]: including NAT-Traversal patch (Version 0.6c)
[disabled]
Aug 30 18:11:40 gw pluto[2771]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Aug 30 18:11:40 gw pluto[2771]: Using Linux 2.6 IPsec interface code
Aug 30 18:11:40 gw pluto[2771]: Changing to directory '/etc/ipsec.d/cacerts'
Aug 30 18:11:40 gw pluto[2771]: Could not change to directory '/etc/ipsec.d/aacerts'
Aug 30 18:11:40 gw pluto[2771]: Changing to directory '/etc/ipsec.d/ocspcerts'
Aug 30 18:11:40 gw pluto[2771]: Changing to directory '/etc/ipsec.d/crls'
Aug 30 18:11:40 gw pluto[2771]: Warning: empty directory
Aug 30 18:11:40 gw pluto[2771]: added connection description "net-to-net"
Aug 30 18:11:40 gw pluto[2771]: listening for IKE messages
Aug 30 18:11:40 gw pluto[2771]: adding interface eth1/eth1 1.2.3.4
Aug 30 18:11:40 gw pluto[2771]: adding interface lo/lo 127.0.0.1
Aug 30 18:11:40 gw pluto[2771]: adding interface eth0/eth0 192.168.249.254
Aug 30 18:11:40 gw pluto[2771]: loading secrets from "/etc/ipsec.secrets"
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: initiating Main Mode
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: I did not send a certificate
because I do not have one.
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: Peer ID is ID_FQDN: '@gw2'
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: ISAKMP SA established
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #2: sent QI2, IPsec SA established
{ESP=>0x984ffa19 <0x0e088b65}
so it seems everything is fine. on 1.2.3.4 i have az iptables firewall, but
hopefully all needed connections are accepted:
iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A FORWARD -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
iptables -A FORWARD -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
iptables -A FORWARD -p 51 -j ACCEPT
iptables -A FORWARD -s 192.168.249.0/24 -d 192.168.248.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.248.0/24 -d 192.168.249.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.249.0/24 -d 192.168.248.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.248.0/24 -d 192.168.249.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.249.0/24 -d 192.168.248.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.248.0/24 -d 192.168.249.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.248.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.249.0/24 -j ACCEPT
yes, it does NAT, but excluded all the tunneled addresses.
iptables -t nat -A POSTROUTING -s 192.168.249.$a ! -d 192.168.248.0/24 -o eth1 -j
SNAT --to-source $EXTERNAL_IP
however i just cannot ping any of the gateways. nothing can be pinged neither the
gw's nor the hosts behind them.
does anyone have a clue what can be wrong?
TIA,
regards,
Peter
More information about the Users
mailing list