[Openswan Users] FC6 iptables problem

Paul Wouters paul at xelerance.com
Thu Mar 22 18:38:28 EDT 2007

On Thu, 22 Mar 2007, Xunhua Wang wrote:

> I have a Fedora Core 6 box and have installed "Linux Openswan
> U2.4.7/K2.6.20-1.2925.fc6 (netkey)" and xl2tpd-1.1.09 on it. This box has

> I checked /var/log/secure and found that an IPsec SA was indeed established.
> It looks like that iptables has blocked the subsequent L2TP traffic.

You must allow all decrypted packets, which means using the MARK facility
to mark the encrypted packets, and then using the mark to ACCEPT them
after decryption. This is due to netkey not having seperate interfaces.

> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 500 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 500 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 4500 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 4500 -j ACCEPT

Looks okay.
Are there any output or forward table rules?
did you run ipsec verify ?

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list