[Openswan Users] Strange Firewall problem

Frederico Madeira fmadeira at gmail.com
Wed Dec 5 16:10:57 EST 2007


Hi guys

I did a setup of net-to-net vpn. From a host inside NETA I can ping on
hosts on NETB. In NETB  i can ping on NETA.
I can only use ICMP. If i try any other protocol, don't work.

My firewall rule for allow this traffic is:

$IPTABLES -A FORWARD -s NETA -d NETB -j ACCEPT
$IPTABLES -A FORWARD -s NETB -d NETA -j ACCEPT

I did this test:

A: Added a rule on firewall to log every thing between NETA and NETB.
This rule is the first one in chain Forward.

$IPTABLES -A FORWARD -s NETA -d NETB -j LOG --log-level DEBUG --log-prefix "A->B: "
$IPTABLES -A FORWARD -s NETB -d NETA -j LOG --log-level DEBUG --log-prefix "B->A: "



B: Started tcpdump on wan interface in openswan/firewall server on NETB

C: From one host inside NETA, I stared a ping to a host in NETB

D: From one host inside NETA, I stared a nmap to a host in NETB

E: From one host inside NETA, I tryed a telnet to a host in NETB

Results:

On firewall logs, I saw only packets from test C
On tcpdump log, I saw:
for test C: echo request and echo replay packets
for test D: Only syn packets from NETA to NETB (no reply)
for test E: Only syn packets from NETA to NETB (no reply)

It look like that some traffic wasn't arrive to firewall, been blocked before arrive it.

Some one have any idea about how to solve this issue ?

Thanks a lot.

Fred





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071205/03792222/attachment.html 


More information about the Users mailing list