[Openswan Users] Road warrior user connected but can't ping the other side

Thiago Campos tmclistas at uol.com.br
Wed Sep 14 20:31:19 CEST 2005 

After i be able to connect to my vpn server on my LAN, now i`m trying to 
connect from a dial-up access. Once i could connect but couldn't ping the 
machine with the local ip

/var/log/secure

Sep 14 19:09:57 sbf-vpn pluto[2726]: ERROR: asynchronous network error 
report on eth1 (sport=500) for message to road_warrior_ip port 500, 
complainant my_server_ip: No route to host [errno 113, origin ICMP type 3 
code 1 (not authenticated)]

my firewall

IPT=/sbin/iptables
PROGRAMA=/home/t4w/firewall/firewall_mac_filtro
NET_IFACE=eth1
LAN_IFACE=eth0
MACLIST=/home/t4w/firewall/maclist
modprobe iptable_nat
# Carrega modulos IPTABLES
modprobe ip_tables
# Carregar modulos FTP
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
# Carregar modulos NAT
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
case $1 in
start)
$IPT -F
$IPT -t nat -F
$IPT -t filter -P FORWARD DROP
$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT DROP
for i in `cat $MACLIST`; do
        STATUS=`echo $i | cut -d ';' -f 1`
        IPSOURCE=`echo $i | cut -d ';' -f 3`
        MACSOURCE=`echo $i | cut -d ';' -f 2`
        #Se status = a entao libera a conexao
        if [ $STATUS = "a" ]; then
                $IPT -t filter -A FORWARD -d 0/0 -s $IPSOURCE -m 
mac --mac-source $MACSOURCE -j ACCEPT
                $IPT -t filter -A FORWARD -d $IPSOURCE -s 0/0 -j ACCEPT
                $IPT -t nat -A POSTROUTING -s $IPSOURCE -o $NET_IFACE -j 
MASQUERADE
                $IPT -t filter -A INPUT -s $IPSOURCE -d 0/0 -m 
mac --mac-source $MACSOURCE -j ACCEPT
                $IPT -t filter -A INPUT -s 0/0 -d $IPSOURCE -j ACCEPT
                $IPT -t filter -A OUTPUT -s $IPSOURCE -d 0/0 -j ACCEPT
                $IPT -t filter -A OUTPUT -d $IPSOURCE -s 0/0 -j ACCEPT
                $IPT -t nat -A POSTROUTING -s $IPSOURCE -o $LAN_IFACE -j 
MASQUERADE

                # Libera todas as portas
                $IPT -A INPUT -p tcp -s $IPSOURCE -j ACCEPT

# Se for = b entao bloqueia o MAC
        else
                $IPT -t filter -A FORWARD -m mac --mac-source $MACSOURCE -j 
DROP
                $IPT -t filter -A INPUT -m mac --mac-source $MACSOURCE -j 
DROP
                $IPT -t filter -A OUTPUT -m mac --mac-source $MACSOURCE -j 
DROP
        fi
done

More information about the Users mailing list