[Openswan Users] multiple subnets ?
Peter McGill
petermcgill at goco.net
Fri Jun 27 10:33:36 EDT 2008
> -----Original Message-----
> From: Indunil Jayasooriya [mailto:indunil75 at gmail.com]
> Sent: June 27, 2008 2:12 AM
> To: petermcgill at goco.net
> Cc: Paul Wouters; users at openswan.org
> Subject: Re: [Openswan Users] multiple subnets ?
>
> On Thu, Jun 26, 2008 at 7:09 PM, Peter McGill
> <petermcgill at goco.net> wrote:
> > Indunil,
> >
> > Did you exempt your ipsec traffic from your nat rules?
> > It is a common mistake to forget this, and would cause the
> > traffic to use the internet route instead of the tunnel.
> >
> > For example, if you have local: 192.168.1.0/24,
> > remote: 192.168.2.0/24 & 192.168.3.0/24,
> > and eth0 internet interface.
> > Then you probably have the following NAT rule:
> > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j
> MASQUERADE
> > You need the following two rules before it:
> > iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.0/24 -j ACCEPT
> > iptables -t nat -A POSTROUTING -o eth0 -d 192.168.3.0/24 -j ACCEPT
>
> Hi ,
>
> We have SNAT rules like below. Not for ALL LAN.but for about 10 ips.
> one by one .
>
>
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.2 -j SNAT
> --to-source 1.2.3.4
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.9 -j SNAT
> --to-source 1.2.3.4
>
> anyway, I put below 4 rules before those line
>
> iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
You need these keep them.
> Still No luck.
>
> Then, I added below 4 lines after the above 4 lines as well.
> Still the same.
>
>
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
> 196.4.49.0/24 -j SNAT --to-source 1.2.3.4
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
> 196.4.51.0/24 -j SNAT --to-source 1.2.3.4
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
> 10.10.99.0/24 -j SNAT --to-source 1.2.3.4
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
> 10.10.250.0/24 -j SNAT --to-source 2.2.3.4
These do absolutely nothing you should remove them.
A) The 4 rules I told you to keep will match first and prevent the packets from going further.
B) If you only had these rules then the first rule would match negating the next three.
> I added below lines to sysctl.conf: as well
>
>
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.all.log_martians = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.default.log_martians = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
>
> Now, ipsec verify give below output
>
> [root at firewall etc]# ipsec verify
> Checking your system to see if IPsec got installed and
> started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.4.9/K2.6.18-8.el5 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking for RSA private key (/etc/ipsec.secrets)
> [DISABLED]
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support
> [DISABLED]
>
>
> But, We can not Still ping their 4 networks.
>
>
> Furthur help is needed to solve this.
>
>
> Hope to hear from you.
>
>
> -
> Thank you
> Indunil Jayasooriya
Could you attach an ipsec barf > ipsec_barf.txt please.
Also include a description of your ping tests and results in the email.
What host/ip are you pinging from, what host/ips are you pinging to?
Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
More information about the Users
mailing list