[Openswan Users] IPSec and iptables not work

Cristian Bullokles cristian.bullokles at scio-sa.com
Wed Feb 9 14:47:49 CET 2005


 

Hi people

 

I'm using openswan ipsec in a linux servers that are firewall/gateway to
small local networks.

            My network is 

 

            LAN (192.168.1.0) ---- > VPNGW1/FIREWALL (internal:
192.168.1.1 external: myPublicIP) ---- > INTERNET ---- > VNPGW2
(extPublicIP) ------ > HOST(publicDest).

 

And my configuration is this:

conn vnpwg1-vpngw2

        auth=esp

        authby=secret

        auto=add

        esp=3des-sha1,3des-sha1

        ike=3des-sha1,3des-sha1

        keyexchange=ike

        keyingtries=5

        left=myPublicIP

        leftsubnet=192.168.1.0/24

        pfs=yes

        right=extPublicIP

        rightsubnet=publicDest/32

 

If I use this configuration fom any machine on my Lan I cant ping
publicDest , my firewall is set to allow all traffic and nat traffic
from my LAN like this:

 

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

 

iptables -A INPUT   -j LOG --log-level DEBUG --log-prefix "INPUT:"

iptables -A OUTPUT  -j LOG --log-level DEBUG --log-prefix "OUTPUT:"

iptables -A FORWARD   -j LOG --log-level DEBUG --log-prefix "FORWARD:"

 

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source myPublicIP

            

But from my private lan not work to ping to publicDest, any idea?

 

Best regards.

Cristian

 


********************************************************************

NOTA DE CONFIDENCIALIDAD / CONFIDENTIALITY NOTE 

Este mensaje y sus anexos son confidenciales y pueden contener informacion (i) de propiedad exclusiva de Scio S.A. sus afiliadas o subsidiarias; o (ii) amparada por el secreto profesional. Si usted ha recibido este fax o e-mail por error, por favor, comuniquelo inmediatamente via fax o e-mail y tenga la amabilidad de destruirlo; no debera copiar el mensaje ni divulgar su contenido a ninguna persona. Muchas gracias.

 

This message (including attachments) is confidential. It may also contain information that (i) is exclusively property of Scio S.A. or its affiliates or subsidiaries; or (ii) is privileged or otherwise legally exempt from disclosure. If you have received it by mistake please let us know by fax or e-mail immediately and destroy or delete it from your files or system; you should also not copy the message nor disclose its contents to anyone. Thank you.

********************************************************************


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050209/f86f1e9a/attachment.htm


More information about the Users mailing list