[Openswan Users] Fwd: Lost packets after DNAT
George Adams
georgebadams at yahoo.com.au
Mon Feb 28 11:43:29 CET 2005
Hello,
I sent this message originally as a non-member and it
seems to be stuck with the moderators. I've now
subscribed.
In addition to what I described below, the appropriate
rules exist in the FORWARD chain and the VPN server
has the appropriate routes to access the server. The
VPN server can successfully ping the internal server
in the new subnet.
I'd appreciate any suggestions and/or help.
George.
--- George Adams <georgebadams at yahoo.com.au> wrote:
> Date: Fri, 25 Feb 2005 18:57:23 +1100 (EST)
> From: George Adams <georgebadams at yahoo.com.au>
> Subject: Lost packets after DNAT
> To: users at openswan.org
>
> Hi,
>
> we have moved a server (192.168.2.137) from the
> local
> subnet where our VPN server is to another subnet 1
> hop
> away (192.168.208.0). Given the following connection
> description from "FreeS/WAN IPSec version:
> super-freeswan-1.99.7" how can I get DNAT to work so
> that the client end is not changed (i dont have
> access)?
>
> keyingtries=0
> auto=start
> type=tunnel
> authby=secret
> pfs=no
> leftid=xx.xx.xx.xx
> left=xx.xx.xx.xx
> leftsubnet=192.168.2.0/24
> right=yy.yy.yy.yy
> rightsubnet=10.0.62.0/24
> ike=3des-md5-modp1024
> ikelifetime=8h
> keylife=24h
>
> They DNAT appears to work, partly:
>
> Chain PREROUTING (policy ACCEPT 14M packets, 4021M
> bytes)
> pkts bytes target prot opt in out
> source
> destination
> 185 7400 DNAT all -- ipsec0 *
> 10.0.62.0/24 192.168.2.137
> to:192.168.208.137
>
> but I dont see anything at the internal interface or
> server end. Also I am getting martians logged on the
> ipsec interface. Eg:
>
> kernel: martian source 192.168.208.137 from
> 10.0.62.6,
> on dev ipsec0
>
> What is going on? Am I going about this the wrong
> way?
>
> George.
Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com
More information about the Users
mailing list