[Openswan Users] OpenSWAN VPN only kinda working

Jeff Williams jwilliams at digitalfairway.com
Tue Jan 4 21:46:48 CET 2005 

Hello,

badform to reply to self but: 

If I disable my iptables the VPN works great both ways!

So what's wrong with my iptables? (see below)

Thanks, Jeff


# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
-A INPUT -s 192.168.100.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT
-A INPUT -s 192.168.100.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT
-A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -d 207.164.133.170 -p 50 -j ACCEPT
-A INPUT -d 207.164.133.170 -p 51 -j ACCEPT
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p 50 -j ACCEPT
-A OUTPUT -p 51 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
# Enabled Toronto to Talk with Ottawa
-A FORWARD -s 192.168.100.0/24 -d 192.168.101.0/24 -j ACCEPT
# Enabled Ottawa to Talk with Toronto
-A FORWARD -s 192.168.101.0/24 -d 192.168.100.0/24 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
# Accept all internal
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp+ -s 192.168.100.0/24 -d 192.168.0.0/16 -j 
ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -i eth0 -m state -m tcp --dport 993 
--state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 1723 --state NEW 
-j ACCEPT
-A RH-Firewall-1-INPUT -p 47  -j ACCEPT
#-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
-A POSTROUTING -o eth0 -j SNAT --to 207.164.133.170
#-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -m tcp -p tcp -i eth0 --dport 993 -j DNAT --to-destination 
192.168.100.10
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed


Jeff Williams wrote:

> Hello,
>
> Config: Right: OpenSwan 2.1.5 (RPM) on Fedora Core 3 default kernel 
> 2.6.9 iptables 1.2.11  network 192.168.100.0/24
> Left: a Netwinder (ARM processor) using FreeSWAN 1.3 kernel 2.2.14 
> ipchains 1.3.9 network 192.168.101.0/24
>
> - all was good when I ran SuperFreeSWAN 1.99 on right on 2.2 kernel 
> (upgraded to new machine) - VPN is up, ping both ways no problem. - 
> left side net host (eg 192.168.101.202) can connect (telnet, cvs etc) 
> to any host on the right (eg 192.168.100.10)
> - right side host (eg 192.168.100.22) CAN'T connect to any host n the 
> left (eg 192.168.101.202)
> - left side log has: Jan  4 20:22:32 dfcottawa kernel: 
> ip_demasq_esp(): Inbound from 207.164.133.170 SPI E4B7F7AC has no masq 
> table entry
>
> Google search didn't help much and I couldn't find an archive for the 
> mailing list.  From things I did found this could be an issiue with my 
> iptables?  Or an issue with the way the IPSEC packets pass through the 
> kernel?  Could OpenSWAN 2.3 with KLIPS on the 2.6 Kernel fix this?
> Thoughts?  Thanks, Jeff
>
> connection config:
> conn TORONTO-OTTAWA
>        authby=rsasig
>        auto=start
>        left=207.164.133.170
>        leftfirewall=no
>        leftnexthop=207.164.133.169
>        leftrsasigkey=0xlong hex string
>        leftsubnet=192.168.100.0/24
>        right=207.61.226.218
>        rightfirewall=yes
>        rightnexthop=207.61.226.217
>        rightrsasigkey=0xlong hex string
>        rightsubnet=192.168.101.0/24
>        rightsourceip=192.168.101.1
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

More information about the Users mailing list