[Openswan Users] IPSec SA established, but can't ping hosts on other side

Roland Roberts roland at astrofoto.org
Fri Aug 3 00:31:34 EDT 2007


My gateway host has three interfaces, one facing the the internet, one
facing my internal LAN, and one facing a wireless AP.  I have firewall
rules in place that allow packets to travel from the WAP to the
internet, but not to the LAN.  Packets from either the LAN or the WAP
get nat'ed before going out to the internet, but there is not nat'ing
for packets from the LAN to the WAP and vice versa.  Here is that
section of the iptables config

-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth3 -o eth2 -j ACCEPT
-A FORWARD -i eth3 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i ppp0 -j ACCEPT

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth3 -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT


My iptables rules also include

-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --sport 4500 -j ACCEPT

which is set up to be interface independent.

>From my wireless laptop, I can bring up the connection, but I can't ping
hosts on the other side.  iptables is *not* running on the laptop, only
the gateway.

I'm mostly certain this is an iptables config issue, but I'm not clear
on how to resolve it.

This is on a Fedora Core 6 laptop.  Here are the ipsec config files from
the laptop.

[root at aristarchus ipsec.d]# cat ../ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        forwardcontrol=yes

include /etc/ipsec.d/*.conf
[root at aristarchus ipsec.d]# cat no_oe.conf
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore
[root at aristarchus ipsec.d]# cat rlent.conf
conn rlent-wl
    left=%defaultroute
    leftid=@aristarchus-wl.rlent.pnet
    leftrsasigkey=...
    right=192.168.5.1
    rightsubnet=192.168.3.0/24
    rightid=@tycho-wl.rlent.pnet
    rightrsasigkey=...
    auto=add

And here are my config files from the gateway:

354 root> cat ../ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        nat_traversal=yes
       
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.3.0/24

include /etc/ipsec.d/*.conf
355 root> cat no_oe.conf
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore
356 root> cat rlent.conf
conn rlent-wl
    left=192.168.5.1
    leftid=@tycho-wl.rlent.pnet
    leftsubnet=192.168.3.0/24
    leftrsasigkey=...
    right=%any
    rightid=@aristarchus-wl.rlent.pnet
    rightrsasigkey=...
    auto=add


-- 
		       PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD                             RL Enterprises
roland at rlenter.com                            6818 Madeline Court
roland at astrofoto.org                           Brooklyn, NY 11220



More information about the Users mailing list