[Openswan Users] multiple subnets ?

Indunil Jayasooriya indunil75 at gmail.com
Fri Jun 27 02:11:36 EDT 2008 

On Thu, Jun 26, 2008 at 7:09 PM, Peter McGill <petermcgill at goco.net> wrote:
> Indunil,
>
> Did you exempt your ipsec traffic from your nat rules?
> It is a common mistake to forget this, and would cause the
> traffic to use the internet route instead of the tunnel.
>
> For example, if you have local: 192.168.1.0/24,
> remote: 192.168.2.0/24 & 192.168.3.0/24,
> and eth0 internet interface.
> Then you probably have the following NAT rule:
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
> You need the following two rules before it:
> iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -d 192.168.3.0/24 -j ACCEPT

Hi ,

We have SNAT rules like below. Not for ALL LAN.but for about 10 ips.
one by one .


iptables -t nat -A POSTROUTING -o eth1  -s 192.168.1.2  -j SNAT
--to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1  -s 192.168.1.9  -j SNAT
--to-source 1.2.3.4

anyway, I put below 4 rules before those line

iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT


Still No luck.

Then, I added below 4 lines after the above 4 lines as well. Still the same.


iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
196.4.49.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
196.4.51.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
10.10.99.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
10.10.250.0/24 -j SNAT --to-source 2.2.3.4


I added below lines to sysctl.conf: as well


net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0

Now, ipsec verify give below output

[root at firewall etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.18-8.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


But, We can not Still ping their 4 networks.


Furthur help is needed to solve this.


Hope to hear from you.


-
Thank you
Indunil Jayasooriya

More information about the Users mailing list