[Openswan Users] Unable to pass traffic on site-to-site VPN

Robyn Orosz rorosz at gmail.com
Tue Jun 26 10:17:27 EDT 2007


Hi Peter,

I added the following:

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.44.0/24 -d
192.168.50.0/24-j RETURN

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.44.0/24 -d
192.168.1.0/24-j RETURN

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.44.0/24 -d 0.0.0.0/0 -j
MASQUERADE

This seems to be working fine.  Thanks again for pointing me in the right
direction.

-Robyn

On 6/26/07, Robyn Orosz <rorosz at gmail.com> wrote:
>
> Peter,
>
> You were absolutely correct.  Thank you so much!  I was totally stressing
> on this one yesterday!
>
> BTW - I'm sure I can find the info somewhere but, do you have any idea how
> I can MASQ everything but the IPSEC packets when the tunnels are on 2
> discontiguous subnets?
>
> Thanks again for all your help.
>
> -Robyn
>
> On 6/26/07, Peter McGill <petermcgill at goco.net> wrote:
> >
> > > -----Original Message-----
> > > Date: Mon, 25 Jun 2007 14:10:16 -0700
> > > From: "Robyn Orosz" < rorosz at gmail.com>
> > > Subject: [Openswan Users] Unable to pass traffic on site-to-site VPN
> > > To: users at openswan.org
> > >
> > > Hi,
> > >
> > > I am running into an intermittent issue where no traffic will
> > > pass on my
> > > site to site VPN.  The tunnels are up but packets that match
> > > the subnets in
> > > the proposal do not enter the tunnel.
> > >
> > > Below I have replaced the local public IP address with
> > > <local-ip> and the
> > > remote public IP address with <remote-ip>.
> > >
> > > Here is the ipsec.conf
> > > config setup
> > >         interfaces="ipsec0=eth0"
> > >         nat_traversal=yes
> > >         virtual_private="%v4:192.168.1.0/24,%v4:192.168.50.0/24<http://192.168.1.0/24,%25v4:192.168.50.0/24>"
> >
> > >         hidetos=yes
> > >         syslog=daemon.debug
> > >         plutodebug="all"
> >
> > Set plutodebug=none or your logs will be virtually unreadable.
> >
> > > There are also 2 masquerade rules that are supposed to
> > > masquerade all other
> > > traffic that is not destined for the tunnel.  They seem to be
> > > working fine.
> > > Internet traffic passes without issues.
> > >
> > >    157  8715 MASQUERADE  0    --  any    eth0     192.168.44.0/24
> > > !192.168.50.0/24
> > >    45  4092 MASQUERADE  0    --  any    eth0    192.168.44.0/24
> > > !192.168.1.0/24
> >
> > These iptables rules should not work. You will end up MASQing
> > everything.
> >
> > Packets destined for internet will match first rule and get MASQ'd.
> > They will work correctly.
> >
> > Packets destined for 192.168.50.0/24 will not match first rule.
> > But will match second rule and get MASQ'd, this will break your pings,
> > etc...
> >
> > Packets destined for 192.168.1.0/24 will match the first rule and get
> > MASQ'd, breaking your pings etc...
> >
> > You must have only one MASQ rule.
> >
> > You will have to mark the ipsec packets then MASQ the unmarked packets.
> >
> > Peter
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070626/de40ed70/attachment.html 


More information about the Users mailing list