[Openswan Users] gateway to gateway problem
Pixelib Team
service at pixelib.com
Sat May 28 00:22:32 CEST 2005
Dear user,
I have been set up freeswan successfully for road warriors since last
year, and unfortunately I was getting failed to setup gateway to gateway
vpn connection right now.
Indeed IPSec got established, but it didn't seem to work for packets
going between subnets. Why the packets cannot across both of these
subnets 192.168.10.0 and 192.168.5.0?
/etc/ipsec.conf
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
strictcrlpolicy=yes
nat_traversal=yes
conn %default
type=tunnel
authby=rsasig
leftcert=certs/freeswan.der
leftrsasigkey=%cert
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%no,%priv
rightrsasigkey=%cert
rightprotoport=17/1701
keyingtries=3
auto=add
pfs=no
rekeymargin=20m
rekeyfuzz=25%
keylife=30m
ikelifetime=30m
disablearrivalcheck=no
compress=yes
conn L5
left=61.10.XXX.YYY
leftnexthop=61.10.102.1
leftsubnet=192.168.10.0/24
leftid=61.10.XXX.YYY
leftcert=certs/wahj.crt
right=61.10.AAA.BBB
rightnexthop=61.10.64.1
rightsubnet=192.168.15.0/24
rightid=61.10.AAA.BBB
rightcert=certs/hwwong.crt
/etc/init.d/iptables
iptables -F
iptables -F -t nat
# This makes sure that IP forwarding is turned on for networking.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Disable IP spoofing protection to allow IPSEC to work properly
echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-d $IPSECSG --destination-port 500 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPSECSG --source-port 500 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-d $IPSECSG --destination-port 4500 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPSECSG --source-port 4500 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p 50 \
-d $IPSECSG -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p 50 \
-s $IPSECSG -j ACCEPT
# Allow all traffic to FreeS/WAN Virtual Interface
iptables -A INPUT -i $FREESWANVI -j ACCEPT
iptables -A OUTPUT -o $FREESWANVI -j ACCEPT
# Forward anything from the FreeS/WAN virtual interface IPSEC tunnel
iptables -A FORWARD -i $FREESWANVI \
-o $EXTERNAL_INTERFACE -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE \
-o $FREESWANVI -j ACCEPT
# Forward anything between ipsec0 and eth1, subnet to subnet
iptables -A FORWARD -i $FREESWANVI \
-o $LOCAL_INTERFACE_1 -j ACCEPT
iptables -A FORWARD -i $LOCAL_INTERFACE_1 \
-o $FREESWANVI -j ACCEPT
IPSec Established successfully
+ ipsec whack --name L5 --initiate
104 "L5" #13: STATE_MAIN_I1: initiate
003 "L5" #13: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
106 "L5" #13: STATE_MAIN_I2: sent MI2, expecting MR2
003 "L5" #13: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "L5" #13: STATE_MAIN_I3: sent MI3, expecting MR3
004 "L5" #13: STATE_MAIN_I4: ISAKMP SA established
117 "L5" #14: STATE_QUICK_I1: initiate
004 "L5" #14: STATE_QUICK_I2: sent QI2, IPsec SA established
netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.15.0 61.10.102.1 255.255.255.0 UG 0 0 0
ipsec0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
61.10.102.0 0.0.0.0 255.255.254.0 U 0 0 0
eth0
61.10.102.0 0.0.0.0 255.255.254.0 U 0 0 0
ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 61.10.102.1 0.0.0.0 UG 0 0 0
eth0
Kind regards,
Wah Jong
More information about the Users
mailing list