[Openswan Users] ipsec / l2tpd + iptables ?

Reza ISSANY issanyr at laposte.net
Thu Nov 30 03:40:32 EST 2006


Hi,

Now I can ping the server public adresse.

                      server side                                       
                                         remote test client l2tp
172.16.7.0 -- 88.191.35.181 -- 88.191.35.1 ---------------------- 
82.236.77.254 -- 82.236.77.42 -- 172.16.7.10

The client take the adress 172.16.7.10 and can ping with any problems 
all network 172.16.7.0. The client can also ping
the remote public interface : 88.191.35.181 but can't ping 88.191.35.1 
and anything on internet.

any idea please ?
Thanks

reza.

Reza ISSANY a écrit :
> Hi,
>
> The gateway have internet :
> root at integration:~# ping google.com
> PING google.com (72.14.207.99) 56(84) bytes of data.
> 64 bytes from 72.14.207.99: icmp_seq=1 ttl=245 time=86.7 ms
> 64 bytes from 72.14.207.99: icmp_seq=2 ttl=245 time=86.8 ms
> 64 bytes from 72.14.207.99: icmp_seq=3 ttl=245 time=86.8 ms
>
> --- google.com ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2000ms
> rtt min/avg/max/mdev = 86.775/86.828/86.857/0.243 ms
>
> and my iptable looks to be good :
>
> #!/bin/sh
> # reset des tables
> iptables -F
>
> #iptables-restore < /var/log/uiptables
> iptables -t filter -A INPUT -p all -j ULOG --ulog-prefix=DefaultDrop
>
> # default policy : DROP
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # on accepte les paquets relatifs aux connexions deja ouvertes
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A INPUT -s 172.16.7.0/16 -j ACCEPT
> iptables -A FORWARD -s 172.16.7.0/16 -j ACCEPT
>
> # Autorisation des requetes DNS
> iptables -A INPUT -p udp --dport 53 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
>
> # on accepte les requetes icmp
> iptables -A INPUT -i eth0 -p icmp -m state --state NEW -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp -m state --state NEW -j ACCEPT
>
> # telnet
> iptables -A INPUT -i eth0 -p tcp --dport 23 -j ACCEPT
>
> # ssh
> iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
>
> # ipsec vpn
> iptables -A INPUT  -p udp -m udp -i eth0 --dport 4500 -j ACCEPT
> iptables -A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT
> # IKE negotiations
> iptables -A INPUT  -p udp -m udp -i eth0 --dport 500 -j ACCEPT
> iptables -A OUTPUT -p udp -m udp -o eth0 --dport 500 -j ACCEPT
> # ESP encryption & authentication
> iptables -A INPUT  -p 50 -i eth0 -j ACCEPT
> iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT
> # L2TP roadwarrior
> iptables -A INPUT  -p udp -i eth0 --dport 1701 -j ACCEPT
> iptables -A OUTPUT  -p udp -o eth0 --dport 1701 -j ACCEPT
>
> # accepte tout ce qui concerne l'interface loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # on accepte ce qui sort vers l'exterieur
> iptables -A OUTPUT -o eth0 -j ACCEPT
>
> Any idea ?
>
> reza.
>
> Paul Wouters a écrit :
>> On Tue, 28 Nov 2006, Reza ISSANY wrote:
>>
>>   
>>> Here it is my ipsec verify command results :
>>>
>>> root at integration:~# ipsec verify
>>> Checking your system to see if IPsec got installed and started correctly:
>>> Version check and ipsec on-path                                 [OK]
>>> Linux Openswan U2.4.7/K2.6.18.3dedibox_r6_final (netkey)
>>> Checking for IPsec support in kernel                            [OK]
>>> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
>>> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
>>> Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
>>>  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>>> Checking that pluto is running                                  [OK]
>>> Checking for 'ip' command                                       [OK]
>>> Checking for 'iptables' command                                 [OK]
>>> Opportunistic Encryption Support                                [DISABLED]
>>>
>>> Any idea to activate Internet on vpn l2tpd clients ?
>>>     
>>
>> That looks good. Do the checks I asked you to do before:
>>
>>   
>>>> check
>>>> for firewall rules, check for NAT, and check if the gateway can reach the
>>>> internet
>>>> on its "l2tp pool" IP address using 'ping -I sourceip www.google.com'
>>>>
>>>>       
>>
>> Paul
>>   
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061130/6d565599/attachment.html 


More information about the Users mailing list