[Openswan Users]

Andy Gay andy at andynet.net
Sun Jul 23 02:24:53 CEST 2006


On Sun, 2006-07-23 at 00:09 -0500, Greg Scott wrote:
> Aw nuts, sorry about that.  Lakeville is on the right, Roseville on the
> left.  I got my diagram backwards and didn't notice until you pointed it
> out.  For the record, it's like this:
> 
> 
> Roseville 10.15.1.75 71.216.115.33   Lakeville  209.130.212.154
> 10.13.1.1 
>  Left          eth1   eth0            Right              eth0    eth1
> 
> 
> The whole problem was, I used a kernel from kernel.org because of some
> other netfilter modules I wanted.  Sheesh - I built it about 3 weeks ago
> and it's already obsolete.  And I must have built it wrong because when
> I booted my test firewalls using the the original fc5 2.6.15.nnn kernel,
> now I see esp packets going out both interfaces.  
> 
If you were getting the IPsec SA established, your kernel is probably
OK.
There were some significant changes in the netfilter-ipsec interaction
since 2.6.16. SNAT is rumoured to work properly now, for instance.

One problem I found with 2.6.16+ is if you have an iptables DROP policy
for your INPUT chain, then you'll have to add an ACCEPT rule for
protocol 4 (IP-in-IP). Nobody seems to know just why that is.


> I'll bet by now there's an fc5 2.6.17.nnn kernel, so I'm going to grab
> that and use it.
> 
> - Greg
> 
> 
> 
> -----Original Message-----
> From: Andy Gay [mailto:andy at andynet.net] 
> Sent: Saturday, July 22, 2006 11:56 PM
> To: Greg Scott
> Cc: users at openswan.org
> Subject: Re: [Openswan Users]
> 
> On Sat, 2006-07-22 at 19:01 -0500, Greg Scott wrote:
> > I must be missing something basic here.  I am trying to a simple 
> > tunnel with 2 subnets.  Here is the scenario below.  Apologies if an 
> > emailer somewhere along the line butchers the line wrapping.
> > 
> > Roseville
> > Lakeville
> > Left
> > Right
> >                Left Firewall  <-Internet--> Right Firewall
> > 10.13.1.0/24  eth1       eth0             eth0             eth1
> > 10.15.1.0/24
> >               10.13.1.1  71.216.115.33    209.130.212.154  10.15.1.75
> 
> So here you say that leftsubnet is 10.13.1.0/24, rightsubnet is
> 10.15.1.0/24.
> 
> But later on in your config file, you have those the other way around:
> 
> > [root at lakeville-fw etc]# more ipsec.d/Roseville-Lakeville.conf
> 
> > conn Roseville-Lakeville
> >         left=71.216.115.33
> >         leftsubnet=10.15.1.0/24
> >         leftnexthop=71.216.115.38
> >         leftid=@roseville.local
> >         # RSA 2192 bits   roseville-fw   Thu Jul 20 18:47:26 2006
> >         leftrsasigkey=0sAQPHZAiDY....
> >         #
> >         # Right security gateway, subnet behind it, next hop toward 
> > left.
> >         right=209.130.212.154
> >         rightsubnet=10.13.1.0/24
> >         rightnexthop=209.130.212.153
> >         rightid=@lakeville.local
> >         # RSA 2192 bits   lakeville-fw   Wed Jul 19 21:09:32 2006
> >         rightrsasigkey=0sAQNb9diw....
> >         #
> >         auto=start
> > 
> 
> 
> 



More information about the Users mailing list