[Openswan Users] newbie help - RHEL 3 behind NAT to SonicWall

Kimberly Knowles Nico kimberly_nico at yahoo.com
Wed Jan 25 08:08:30 CET 2006 

Setup:

laptop RHEL 3, 192.168.2.2
      |
Belkin router/firewall and cable modem performing NAT
  (192.168.2.1, home network is 192.168.2/24)
      |
   Internet
      |
SonicWall VPN (public static IP)
      |
10.1.1.0/24

I think my tunnel is set up correctly:
[root at localhost kim]# /sbin/service ipsec start
ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: modprobe: Can't locate module ipsec
ipsec_setup: /sbin/insmod /lib/modules/2.4.21-37.EL/kernel/net/key/af_key.o
ipsec_setup: Using /lib/modules/2.4.21-37.EL/kernel/net/key/af_key.o
ipsec_setup: Symbol version prefix ''
ipsec_setup: modprobe: Can't locate module xfrm4_tunnel
ipsec_setup: modprobe: Can't locate module xfrm_user
ipsec_setup: modprobe: Can't locate module sha1
ipsec_setup: modprobe: Can't locate module md5
ipsec_setup: modprobe: Can't locate module des
[root at localhost kim]# /usr/sbin/ipsec auto --up vizdom
104 "vizdom" #1: STATE_MAIN_I1: initiate
003 "vizdom" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
106 "vizdom" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vizdom" #1: ignoring unknown Vendor ID payload [da8e937880010000]
003 "vizdom" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "vizdom" #1: received Vendor ID payload [XAUTH]
003 "vizdom" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00/01:
i am NATed
108 "vizdom" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "vizdom" #1: STATE_MAIN_I4: ISAKMP SA established
117 "vizdom" #2: STATE_QUICK_I1: initiate
004 "vizdom" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xd00553f0 <0x3e8b4af1 NATOA=0.0.0.0}

but ping to the remote network doesn't work:
[root at localhost kim]# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
 
--- 10.1.1.2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4028ms
 
I am unsure what to use for iptables rules.  I know I need some (!), and I've
looked at examples, but I'm confused as to whether I should be trying to write
rules which don't go through ipsec or rules which do.  

I tried this:
[root at localhost kim]# /sbin/iptables -t nat -A POSTROUTING -o eth0 -s
192.168.0.0/24 -d ! 10.1.1.0/24 -j MASQUERADE

and it resulted in this:

[root at localhost kim]# /bin/netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.162.0   0.0.0.0         255.255.255.0   U         0 0          0 vmnet8
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.46.0    0.0.0.0         255.255.255.0   U         0 0          0 vmnet1
10.1.1.0        192.168.2.1     255.255.255.0   UG        0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         192.168.2.1     128.0.0.0       UG        0 0          0 eth0
128.0.0.0       192.168.2.1     128.0.0.0       UG        0 0          0 eth0
0.0.0.0         192.168.2.1     0.0.0.0         UG        0 0          0 eth0

I have turned on ip forwarding in /etc/sysctl.conf.

Any suggestions for this pitiful iptables newbie would be appreciated.

-Kim.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Users mailing list