[Openswan Users] OpenSWAN VPN only kinda working

Jeff Williams jwilliams at digitalfairway.com
Wed Jan 5 11:03:53 CET 2005


Hello Paul,

That was actually the first change to my iptables I tried several days 
ago when I first had the issue.  It didn't change anything.

I have even gone as far as putting an additional interface card into the 
machine as I have multiple public addresses.  The thought being I could 
use eth0 for internet only access and eth2 for IPSec only data with no 
SNAT rule on it.  But it seems that packets for eth2 come in on eth0 at 
times for ipsec. (still thinking/looking at this one)

Thanks, Jeff

Paul Overton wrote:

>Try adding the following:
>
># Generated by webmin
>*nat
>  
>
>>>>-A POSTROUTING -s 192.168.100.0/24 -d 192.168.101.0/24 -o eth0 -j ACCEPT
>>>>        
>>>>
>-A POSTROUTING -o eth0 -j SNAT --to 207.164.133.170
>#-A POSTROUTING -o eth0 -j MASQUERADE
>-A PREROUTING -m tcp -p tcp -i eth0 --dport 993 -j DNAT --to-destination
>192.168.100.10
>:OUTPUT ACCEPT [0:0]
>:PREROUTING ACCEPT [0:0]
>:POSTROUTING ACCEPT [0:0]
>
>Regards Paul
>
>-----Original Message-----
>From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
>Behalf Of Jeff Williams
>Sent: 05 January 2005 13:23
>To: Users at openswan.org
>Subject: Re: [Openswan Users] OpenSWAN VPN only kinda working
>
>
>Hello,
>
>I believe I am NATing ipsec packets but nothing I have tried will stop 
>the NATing of IPSec packets.  The problem I have is how to fix the 
>situation if pssible.
>
>There is this comment in the Design-Related Issues of Openswan:
>
>* Using SNAT and the 2.6 ipsec code apparently doesn't go well together.
>  Reported by Alexander Samad. Known issue for the netfilter team. DNAT
>  works as usual, meaning you have to exlude DNAT'ing packets meant for
>  a tunnel.
>
>But I am not sure exactly how it effects me and how to get around it.  I am
>searching though the netfilter stuff next to see it they provide something
>that may resolve the issue.
>
>Thanks, Jeff
>
>
>
>Paul Wouters wrote:
>
>  
>
>>On Tue, 4 Jan 2005, Jeff Williams wrote:
>>
>>    
>>
>>>*nat
>>>-A POSTROUTING -o eth0 -j SNAT --to 207.164.133.170
>>>#-A POSTROUTING -o eth0 -j MASQUERADE
>>>-A PREROUTING -m tcp -p tcp -i eth0 --dport 993 -j DNAT 
>>>--to-destination 192.168.100.10
>>>      
>>>
>>You are NAT'ing ipsec packets, causing them to be invalid and dropped?
>>
>>And no, I have no idea why 'worked before' with freeswan, it shouldn't 
>>have.
>>
>>Paul
>>
>>
>>    
>>
>_______________________________________________
>Users mailing list
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>
>  
>


More information about the Users mailing list