[Openswan Users] FC6 iptables problem
wangxx at jmu.edu
Thu Mar 22 23:43:51 EDT 2007
Thank you for the reply.
My other responses are inline.
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, March 22, 2007 5:38 PM
> To: Xunhua Wang
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] FC6 iptables problem
> On Thu, 22 Mar 2007, Xunhua Wang wrote:
> > I have a Fedora Core 6 box and have installed "Linux Openswan
> > U2.4.7/K2.6.20-1.2925.fc6 (netkey)" and xl2tpd-1.1.09 on it. This box
> > I checked /var/log/secure and found that an IPsec SA was indeed
> > It looks like that iptables has blocked the subsequent L2TP traffic.
> You must allow all decrypted packets, which means using the MARK facility
> to mark the encrypted packets, and then using the mark to ACCEPT them
> after decryption. This is due to netkey not having seperate interfaces.
What commands should I use? With the following command to mark ESP packets?
iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
How to accept them after decryption?
One weird thing is that I do _not_ have to do this on our RedHat Enterprise
Linux 4 box ("Linux Openswan U2.4.5/K2.6.9-5.ELsmp (netkey)"), which has
iptables v1.2.11. What makes FC6 different? (The FC6 box has iptables
> > -A FORWARD -j RH-Firewall-1-INPUT
> > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> > -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp --dport 500 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp --dport 500 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp --dport 4500 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp --dport 4500 -j ACCEPT
> Looks okay.
> Are there any output or forward table rules?
> did you run ipsec verify ?
Yes. The output is as follows, which looks normal.
[root at Newton etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.7/K2.6.20-1.2925.fc6 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
hostname: Unknown host
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
> Building and integrating Virtual Private Networks with Openswan:
More information about the Users