[Openswan Users] FC6 iptables problem

Xunhua Wang wangxx at jmu.edu
Thu Mar 22 23:43:51 EDT 2007 

Thank you for the reply.

My other responses are inline.

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, March 22, 2007 5:38 PM
> To: Xunhua Wang
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] FC6 iptables problem
> 
> On Thu, 22 Mar 2007, Xunhua Wang wrote:
> 
> > I have a Fedora Core 6 box and have installed "Linux Openswan
> > U2.4.7/K2.6.20-1.2925.fc6 (netkey)" and xl2tpd-1.1.09 on it. This box
> has
> 
> > I checked /var/log/secure and found that an IPsec SA was indeed
> established.
> > It looks like that iptables has blocked the subsequent L2TP traffic.
> 
> You must allow all decrypted packets, which means using the MARK facility
> to mark the encrypted packets, and then using the mark to ACCEPT them
> after decryption. This is due to netkey not having seperate interfaces.

What commands should I use? With the following command to mark ESP packets?
iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50

How to accept them after decryption?

One weird thing is that I do _not_ have to do this on our RedHat Enterprise
Linux 4 box ("Linux Openswan U2.4.5/K2.6.9-5.ELsmp (netkey)"), which has
iptables v1.2.11. What makes FC6 different? (The FC6 box has iptables
v1.3.5)

> > -A FORWARD -j RH-Firewall-1-INPUT
> > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> > -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp --dport 500 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp --dport 500 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp --dport 4500 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp --dport 4500 -j ACCEPT
> 
> Looks okay.
> Are there any output or forward table rules?
No.

> did you run ipsec verify ?
Yes. The output is as follows, which looks normal.

[root at Newton etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.7/K2.6.20-1.2925.fc6 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  hostname: Unknown host
 ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

> 
> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Steve

More information about the Users mailing list