[Openswan Users] FC6 iptables problem
Paul Wouters
paul at xelerance.com
Thu Mar 22 18:38:28 EDT 2007
On Thu, 22 Mar 2007, Xunhua Wang wrote:
> I have a Fedora Core 6 box and have installed "Linux Openswan
> U2.4.7/K2.6.20-1.2925.fc6 (netkey)" and xl2tpd-1.1.09 on it. This box has
> I checked /var/log/secure and found that an IPsec SA was indeed established.
> It looks like that iptables has blocked the subsequent L2TP traffic.
You must allow all decrypted packets, which means using the MARK facility
to mark the encrypted packets, and then using the mark to ACCEPT them
after decryption. This is due to netkey not having seperate interfaces.
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 500 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 500 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 4500 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 4500 -j ACCEPT
Looks okay.
Are there any output or forward table rules?
did you run ipsec verify ?
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list