[Openswan Users] multiple subnets ?

Peter McGill petermcgill at goco.net
Thu Jun 26 09:39:25 EDT 2008 

Indunil,

Did you exempt your ipsec traffic from your nat rules?
It is a common mistake to forget this, and would cause the
traffic to use the internet route instead of the tunnel.

For example, if you have local: 192.168.1.0/24,
remote: 192.168.2.0/24 & 192.168.3.0/24,
and eth0 internet interface.
Then you probably have the following NAT rule:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
You need the following two rules before it:
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.3.0/24 -j ACCEPT

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Indunil Jayasooriya
> Sent: June 26, 2008 1:44 AM
> To: Paul Wouters
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] multiple subnets ?
> 
> > auto=start should cause the same results....
> 
> Thanks for it.
> 
> >
> >> Now, All 4 tunnles are up. But, I still can not ping to 4 
> subnets in
> >> other side.
> >> Could you pls expalin why?
> >
> > firewalling? routing? natting? rp_filter?
> 
> it is a firewall with a lot of rules. I has 3 network cards. 
> Natting is DONE.
> 
> rp_filter is set to 1.
> 
> 
> > what does ipsec verify say?
> 
> pls see below
> 
> [root at firewall etc]# ipsec verify
> Checking your system to see if IPsec got installed and 
> started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.9/K2.6.18-8.el5 (netkey)
> Checking for IPsec support in kernel                            [OK]
> NETKEY detected, testing for disabled ICMP send_redirects     
>   [FAILED]
> 
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!
> 
> NETKEY detected, testing for disabled ICMP accept_redirects   
>   [FAILED]
> 
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!
> 
> Checking for RSA private key (/etc/ipsec.secrets)             
>   [DISABLED]
>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                              
>   [DISABLED]
> 
> 
> 
> >> I did traceroute as well.
> >
> > Traceroute is a very bad tool to use in combination with IPsec.
> 
> Then, Can you recommnad a good tool instead?
> 
> Command ifconfig shows the USUAL ip addresses. It does NOT 
> show any tunnel?
> 
> Could you pls expalin why I can not ping their subnets.
> 
> What are the areas I will have to look in to it ?
> 
> Hope to hear form you ASAP?-
> 
> -
> Thank you
> Indunil Jayasooriya
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list