[Openswan Users] Unable to pass traffic on site-to-site VPN
Peter McGill
petermcgill at goco.net
Tue Jun 26 09:10:47 EDT 2007
> -----Original Message-----
> Date: Mon, 25 Jun 2007 14:10:16 -0700
> From: "Robyn Orosz" <rorosz at gmail.com>
> Subject: [Openswan Users] Unable to pass traffic on site-to-site VPN
> To: users at openswan.org
>
> Hi,
>
> I am running into an intermittent issue where no traffic will
> pass on my
> site to site VPN. The tunnels are up but packets that match
> the subnets in
> the proposal do not enter the tunnel.
>
> Below I have replaced the local public IP address with
> <local-ip> and the
> remote public IP address with <remote-ip>.
>
> Here is the ipsec.conf
> config setup
> interfaces="ipsec0=eth0"
> nat_traversal=yes
> virtual_private="%v4:192.168.1.0/24,%v4:192.168.50.0/24"
> hidetos=yes
> syslog=daemon.debug
> plutodebug="all"
Set plutodebug=none or your logs will be virtually unreadable.
> There are also 2 masquerade rules that are supposed to
> masquerade all other
> traffic that is not destined for the tunnel. They seem to be
> working fine.
> Internet traffic passes without issues.
>
> 157 8715 MASQUERADE 0 -- any eth0 192.168.44.0/24
> !192.168.50.0/24
> 45 4092 MASQUERADE 0 -- any eth0 192.168.44.0/24
> !192.168.1.0/24
These iptables rules should not work. You will end up MASQing everything.
Packets destined for internet will match first rule and get MASQ'd.
They will work correctly.
Packets destined for 192.168.50.0/24 will not match first rule.
But will match second rule and get MASQ'd, this will break your pings, etc...
Packets destined for 192.168.1.0/24 will match the first rule and get
MASQ'd, breaking your pings etc...
You must have only one MASQ rule.
You will have to mark the ipsec packets then MASQ the unmarked packets.
Peter
More information about the Users
mailing list