[Openswan Users] Unable to pass traffic on site-to-site VPN
Robyn Orosz
rorosz at gmail.com
Tue Jun 26 09:44:22 EDT 2007
Peter,
You were absolutely correct. Thank you so much! I was totally stressing on
this one yesterday!
BTW - I'm sure I can find the info somewhere but, do you have any idea how I
can MASQ everything but the IPSEC packets when the tunnels are on 2
discontiguous subnets?
Thanks again for all your help.
-Robyn
On 6/26/07, Peter McGill <petermcgill at goco.net> wrote:
>
> > -----Original Message-----
> > Date: Mon, 25 Jun 2007 14:10:16 -0700
> > From: "Robyn Orosz" <rorosz at gmail.com>
> > Subject: [Openswan Users] Unable to pass traffic on site-to-site VPN
> > To: users at openswan.org
> >
> > Hi,
> >
> > I am running into an intermittent issue where no traffic will
> > pass on my
> > site to site VPN. The tunnels are up but packets that match
> > the subnets in
> > the proposal do not enter the tunnel.
> >
> > Below I have replaced the local public IP address with
> > <local-ip> and the
> > remote public IP address with <remote-ip>.
> >
> > Here is the ipsec.conf
> > config setup
> > interfaces="ipsec0=eth0"
> > nat_traversal=yes
> > virtual_private="%v4:192.168.1.0/24,%v4:192.168.50.0/24"
> > hidetos=yes
> > syslog=daemon.debug
> > plutodebug="all"
>
> Set plutodebug=none or your logs will be virtually unreadable.
>
> > There are also 2 masquerade rules that are supposed to
> > masquerade all other
> > traffic that is not destined for the tunnel. They seem to be
> > working fine.
> > Internet traffic passes without issues.
> >
> > 157 8715 MASQUERADE 0 -- any eth0 192.168.44.0/24
> > !192.168.50.0/24
> > 45 4092 MASQUERADE 0 -- any eth0 192.168.44.0/24
> > !192.168.1.0/24
>
> These iptables rules should not work. You will end up MASQing everything.
>
> Packets destined for internet will match first rule and get MASQ'd.
> They will work correctly.
>
> Packets destined for 192.168.50.0/24 will not match first rule.
> But will match second rule and get MASQ'd, this will break your pings,
> etc...
>
> Packets destined for 192.168.1.0/24 will match the first rule and get
> MASQ'd, breaking your pings etc...
>
> You must have only one MASQ rule.
>
> You will have to mark the ipsec packets then MASQ the unmarked packets.
>
> Peter
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070626/d3750ae1/attachment-0001.html
More information about the Users
mailing list