[Openswan Users]
IPsec SA established but ping between desktops doesn't work
Paulo Ricardo Bruck
pauloric at contato.com.br
Fri Jan 21 15:32:16 CET 2005
Hi Guys
I've been reading some material about Openswan and freeswan , but
unfortunatly I can't find where I'm wrong.
debian sarge w/ openswan 2.2.0-4 on both firewall/gateways
192.168.0.0/24--firewall/OpenSwan-200.207.92.xx-----internet-----
internet------200.168.52.xx - Firewall/Openswan---192.168.1.0/24
firewall rules
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN1 -d ! 192.168.0.0/24 -j SNAT
--to-source $IPWAN1 ( at 200.207...)
iptables -t nat -A POSTROUTING -o $WAN1 -d ! 192.168.0.0/24 -j SNAT
--to-source $IPWAN1 ( at 200.168...)
last line of ipsec auto --verbose --up contato-bino:
004 "contato-bino" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x9adc209b <0x7955dc13}
As I can see I have a ipsec tunnel betwen both gateways but from my
desktop 192.168.0.11 I can't ping/ssh/whatever at 192.168.1.2 ( another
desktop linux at the other side)
tcpdump at 200.168.52.xx
lorien:~# tcpdump -i eth1 -nlpt port ! 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
IP 200.207.125.xx > 200.168.52.xx: ESP(spi=0x7955dc13,seq=0xe)
IP 192.168.0.11 > 192.168.1.2: icmp 64: echo request seq 14
IP 200.207.125.xx > 200.168.52.xx: ESP(spi=0x7955dc13,seq=0xf)
IP 192.168.0.11 > 192.168.1.2: icmp 64: echo request seq 15
What I'm missing??
thanks in advanced
--
Paulo Ricardo Bruck - consultor
Contato Global Solutions
tel 011 5031-4932 fone/fax 011 5034-1732 cel 011 9235-4327
More information about the Users
mailing list