[Openswan Users] multiple subnets ?

Peter McGill petermcgill at goco.net
Mon Jun 30 10:07:12 EDT 2008 

Indunil,

I assume you meant to do:
iptables -t nat -A POSTROUTING -o eth1 -d 10.254.6.172/32 -j ACCEPT
Which would be correct.

I would keep the sysctl.conf changes suggested by Paul.
Without them you may experience similar or other problems.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: Indunil Jayasooriya [mailto:indunil75 at gmail.com] 
> Sent: June 27, 2008 11:06 PM
> To: petermcgill at goco.net
> Cc: Paul Wouters; users at openswan.org
> Subject: Re: [Openswan Users] multiple subnets ?
> 
> >> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
> >> 196.4.49.0/24 -j SNAT --to-source 1.2.3.4
> >> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
> >> 196.4.51.0/24 -j SNAT --to-source 1.2.3.4
> >> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
> >> 10.10.99.0/24 -j SNAT --to-source 1.2.3.4
> >> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
> >> 10.10.250.0/24 -j SNAT --to-source 2.2.3.4
> >
> > These do absolutely nothing you should remove them.
> 
> I removed. U r great.
> 
> Yes, I got VPN up and running. Now I can ping 4 networks in 
> the other side.
> Thnks very much for it.
> 
> Below 4 rules did the job. ( AS U said)
> 
>  iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
>  iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
>  iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
>  iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
> 
> 
> So far, We added a whole network to ipsec.conf file. Now I want to add
> one ip address to rightsubnet in ipsec.conf file. ip address is
> 10.254.6.172/32. I have already added in this way. pls see below
> 
> 
> conn tunnelipsec5
>        type=tunnel
>        left=1.2.3.4
>        leftsubnet=192.168.1.0/24
>        right=5.6.7.8
>        rightsubnet=10.254.6.172/32
>        esp=3des
>        authby=secret
>        keyexchange=ike
>        pfs=no
>        auto=start
> 
> 
> in addition to that, I added below rule in firewall after the 
> other 4 rules.
> 
> iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
> 
> Am I right?
> 
> I am curretly having below rules in sysctl.conf. Are they needed?
> 
> Pls let me know.
> 
> 
>  net.ipv4.icmp_ignore_bogus_error_responses = 1
>  net.ipv4.conf.all.accept_redirects = 0
>  net.ipv4.conf.all.log_martians = 0
>  net.ipv4.conf.all.send_redirects = 0
>  net.ipv4.conf.default.accept_redirects = 0
>  net.ipv4.conf.default.log_martians = 0
>  net.ipv4.conf.default.send_redirects = 0
>  net.ipv4.ip_forward = 1
>   net.ipv4.conf.default.rp_filter = 0
> 
> 
> 
> Peter and Paul , Thanks for your helps given to me. U r genius.
> 
> Hope to hear form you.
> 
> 
> Thank you
> Indunil Jayasooriya

More information about the Users mailing list