[Openswan Users] Ipsec passthrough on linux

Felipe - Rasputin felipe.nix at gmail.com
Thu Aug 14 08:09:58 EDT 2008


Hi guys

I need a little help.... is about vpn, but not specifically....

I Have one Linux Firewall (kernel 2.6 - Rhel5), and 2 workstations starting
connections using ipsec for a openswan remote server (not my authority), and
i have problems to connect the clients simultaneously, the firs connect
sucessfull, but te second connect and not works, the ESP requisitions of
second client is not masquerade, only the first, I created some firewall
rules to permit ESP, using NAT, FWMARK tried use options -m esp --espspi on
iptables, but not works.

I have one Cisco ASA, and using it as Gateway of workstations, te
connections works.. I only used te commands:
#sysopt connection permit-ipsec



#Rules in firewall

iptables -t nat -I POSTROUTING -s $IP_1 -p esp -j  MASQUERADE
iptables -t nat -I POSTROUTING -s $IP_2 -p esp -j  MASQUERADE
iptables -t nat -I POSTROUTING -s $IP_1 -p ah -j  MASQUERADE
iptables -t nat -I POSTROUTING -s $IP_2 -p ah -j  MASQUERADE
iptables -t nat -I POSTROUTING -s $IP_1 -p udp --dport 500 -j  MASQUERADE
iptables -t nat -I POSTROUTING -s $IP_2 -p udp --dport 500 -j  MASQUERADE

Tried alter esp rules using espspi

iptables -t nat -I POSTROUTING -s $IP_1 -m esp -p esp --espspi 500 -j
MASQUERADE
iptables -t nat -I POSTROUTING -s $IP_2 -m esp -p esp --espspi 501 -j
MASQUERADE



Regards
-- 
#========================#
Felipe Santos '<\( Rasputin )/>'
felipe.nix at gmail.com
LPI ID: LPI000123744
http://br.groups.yahoo.com/group/openswan-br
#========================#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080814/d0a345f3/attachment.html 


More information about the Users mailing list