[Openswan Users] Subnets conmunication?

Peter McGill petermcgill at goco.net
Wed Jun 6 16:13:29 EDT 2007 

> -----Original Message-----
> Date: Wed, 6 Jun 2007 11:13:16 -0600
> From: "IT Dept." <it at technovation.com.sv>
> Subject: Re: [Openswan Users] Subnets conmunication?
> To: <users at openswan.org>
> 
> Ok i tryed
> 
> iptables -t filter -A FORWARD -s 192.168.0.0/16 -d 
> 192.168.0.0/16 -j ACCEPT
> 
> But nothing change...

Alright, try this, should override any other rules.
iptables -t filter -I FORWARD -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

Also make sure forwarding is enabled on your linux.
echo "1" > /proc/sys/net/ipv4/ip_forward

I don't think these will help, but just in case you can try these.
iptables -t filter -I INPUT -s 192.168.0.0/16 -j ACCEPT
iptables -t filter -I OUTPUT -d 192.168.0.0/16 -j ACCEPT

You could also check the linksys firewall, make sure it's not blocking.

Note also, that your ping test's must come from a workstation on site A,
To a workstation on site B or vise versa, not from any of the linksys or
The openswan machine, the subnets are not setup for router pings.

Here's another test you can do.
On openswan machine, run tcpdump to log the traffic.
tcpdump net 192.168.0.0/16

Leave the program running and do your ping test as above.

Then go back to openswan when test finished and press ctrl+c to stop capture.
Send the tcpdump output to the list. It should indicate where in the trip the
Pings are failing, either before, during or after travelling through openswan
Machine. This might give us an idea where to look for problem.

Peter

> -----Mensaje original-----
> De: Peter McGill [mailto:petermcgill at goco.net] 
> Enviado el: Mi?rcoles, 06 de Junio de 2007 10:47 a.m.
> Para: it at technovation.com.sv
> CC: users at openswan.org
> Asunto: RE: [Openswan Users] Subnets conmunication?
> 
> > -----Original Message-----
> > Date: Wed, 6 Jun 2007 09:04:58 -0600
> > From: "IT Dept." <it at technovation.com.sv>
> > Subject: Re: [Openswan Users] Subnets conmunication?
> > To: <users at openswan.org>
> > 
> > Ok....here is my last conf
> > 
> > conn sucursal_40
> > 	authby=secret
> > 	auto=add
> > 	esp=3des-md5
> > 	ikelifetime=3600s
> > 	keylife=3600s
> > 	left=208.70.149.161
> > 	leftrsasigkey=(the Key)
> > 	leftsubnet=192.168.0.0/16
> > 	pfs=yes
> > 	right=190.53.0.113
> > 	rightsubnet=192.168.40.0/24
> > 
> > conn sucursal_50
> > 	authby=secret
> > 	auto=add
> > 	esp=3des-md5
> > 	ikelifetime=3600s
> > 	keylife=3600s
> > 	left=208.70.149.161
> > 	leftrsasigkey=(the Key)
> > 	leftsubnet=192.168.0.0/16
> > 	pfs=yes
> > 	right=%any
> > 	rightsubnet=192.168.50.0/24
> > 
> > and this is the log
> > 
> > Jun  6 09:59:31 vpn pluto[5269]: "sucursal_50"[2] 66.201.165.11 #2:
> > STATE_QUICK_R2: IPsec SA established {ESP=>0x80f41efc <0x9623ac90 
> > xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> > 
> > Jun  6 09:59:43 vpn pluto[5269]: "sucursal_40" #4: 
> > STATE_QUICK_R2: IPsec SA
> > established {ESP=>0xdf2786d4 <0x4c0b74b3 xfrm=3DES_0-HMAC_MD5 
> > NATD=none
> > DPD=none}
> > 
> > But I cant ping between subnets.....
> 
> Alright your connections are working, they are connected.
> 
> See both IPSec SA established in logs.
> 
> If you still can't ping between the two that probably means
> That your firewall rules are droping the packets.
> 
> You may need to add a rule to your firewall like this.
> 
> iptables -t filter -A FORWARD -s 192.168.0.0/16 -d 
> 192.168.0.0/16 -j ACCEPT
> 
> Peter

More information about the Users mailing list