[Openswan Users] ipsec verify question

Peter McGill petermcgill at goco.net
Thu Jan 31 14:25:46 EST 2008


If your Linux server that Openswan is on does NAT or MASQUERADING then they may interfere with your IPSec traffic.
Typically a server does NAT or MASQERADING when it has one public internet ip which it wants to share access with the LAN.
I'm not sure what the N/A means, perhaps you don't have any NAT rules?
The following will disable any NAT rules for the IPSec traffic.
iptables -t nat -I POSTROUTING -s <local subnet, ie: 192.168.1.0/24> -d <remote subnet, ie: 192.168.2.0/24> -j ACCEPT
The -I inserts the rule before any other SNAT or MASQUERADE rules which may change the packets, and the
rule itself exempts the matching packets from any further rules in the chain.
 
Peter McGill
 



  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Arjun Datta
Sent: January 30, 2008 2:37 PM
To: users at openswan.org
Subject: [Openswan Users] ipsec verify question


Hi Folks,
 
#ipsec verify gives me the following
 
[root at fw etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.7/K2.6.23.12-52.fc7 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets)     [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

NAT and MASQ'ing is N/A - how can I correct this ?  More importantly, is this what would prevent me from being able to ping the
subnet behind this end of the tunnel from the other side ?
 
My ipsec tunnel is up and running, I think, as evidenced by this output from ipsec auto --status:
 <snip>
......
000 #7: "conn_name":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3279s; newest ISAKMP; nodpd
 
 
Thanks,
 
Arjun Datta

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080131/68881ebe/attachment.html 


More information about the Users mailing list