[Openswan Users] IPSec SA established, but can't ping hosts on other side
Roland Roberts
roland at astrofoto.org
Fri Aug 3 00:31:34 EDT 2007
My gateway host has three interfaces, one facing the the internet, one
facing my internal LAN, and one facing a wireless AP. I have firewall
rules in place that allow packets to travel from the WAP to the
internet, but not to the LAN. Packets from either the LAN or the WAP
get nat'ed before going out to the internet, but there is not nat'ing
for packets from the LAN to the WAP and vice versa. Here is that
section of the iptables config
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth3 -o eth2 -j ACCEPT
-A FORWARD -i eth3 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i ppp0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth3 -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
My iptables rules also include
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --sport 4500 -j ACCEPT
which is set up to be interface independent.
>From my wireless laptop, I can bring up the connection, but I can't ping
hosts on the other side. iptables is *not* running on the laptop, only
the gateway.
I'm mostly certain this is an iptables config issue, but I'm not clear
on how to resolve it.
This is on a Fedora Core 6 laptop. Here are the ipsec config files from
the laptop.
[root at aristarchus ipsec.d]# cat ../ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
forwardcontrol=yes
include /etc/ipsec.d/*.conf
[root at aristarchus ipsec.d]# cat no_oe.conf
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
[root at aristarchus ipsec.d]# cat rlent.conf
conn rlent-wl
left=%defaultroute
leftid=@aristarchus-wl.rlent.pnet
leftrsasigkey=...
right=192.168.5.1
rightsubnet=192.168.3.0/24
rightid=@tycho-wl.rlent.pnet
rightrsasigkey=...
auto=add
And here are my config files from the gateway:
354 root> cat ../ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.3.0/24
include /etc/ipsec.d/*.conf
355 root> cat no_oe.conf
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
356 root> cat rlent.conf
conn rlent-wl
left=192.168.5.1
leftid=@tycho-wl.rlent.pnet
leftsubnet=192.168.3.0/24
leftrsasigkey=...
right=%any
rightid=@aristarchus-wl.rlent.pnet
rightrsasigkey=...
auto=add
--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland at rlenter.com 6818 Madeline Court
roland at astrofoto.org Brooklyn, NY 11220
More information about the Users
mailing list