[Openswan Users] Packets not passing through Tunnel

Khan, Hammad Aslam raohammad at gmail.com
Wed Mar 12 16:42:55 EDT 2008


and what do you comment about my firewall settings?
Attached is more Formatted one... thanking in anticipation


Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spt:500 dpt:500
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
5    REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67
reject-with icmp-port-unreachable
6    REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
reject-with icmp-port-unreachable
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
8    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpts:0:1023
9    DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp
dpts:0:1023
Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            10.5.0.0/16
2    ACCEPT     all  --  10.5.0.0/16          0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            10.5.0.0/16
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spt:500 dpt:500



On Wed, Mar 12, 2008 at 8:56 PM, Peter McGill <petermcgill at goco.net> wrote:

>  No, that should be working if ISAKMP SA and IPSec SA established.
>
> > A ping from 10.5.125.105 to 10.8.13.113 and vise-versa should work.
>
> Peter McGill
>
>
>  ------------------------------
>  *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> *Sent:* March 12, 2008 11:48 AM
>
> *To:* petermcgill at goco.net
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
>
>   ok thanks but if i dont want my gateway to talk to remote private.
> Instead I just want to access remote private from my-private; will I be
> required to make changes even in that case?
>
> rgds,
> Hammad
>
> On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill <petermcgill at goco.net>
> wrote:
>
> >  You cannot use route add or ip route add with openswan, you
> > must specify the traffic which uses the tunnel in left/rightsubnet(s).
> > To clarify where are you pinging/telneting from?
> > A ping from 10.5.125.105 to 10.8.13.113 and vise-versa should work.
> > A ping from 10.5.125.100 or 58.58.58.58 will not work because you
> > have not included them in leftsubnet.
> > Likewise a ping from 202.202.202.202 or ?.?.?.? to 10.5.. will not work.
> > Pings to 58... and 202... will work but not encrypted, plain internet.
> > If you want your gateway to be able to communicate with remote private
> > also, then change your conn as follows:
> >     leftsourceip=10.5.125.100 # gw will use this instead of 58... to
> > talk to rem. priv.
> >     leftsubnet=10.5.125.96/28 # you'll need to change subnet on cisco
> > too
> >
> > Peter McGill
> >
> >
> >  ------------------------------
> > *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> > *Sent:* March 12, 2008 2:11 AM
> > *To:* petermcgill at goco.net
> > *Cc:* users at openswan.org
> > *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
> >
> >   I already have enabled ip forwarding;
> > My Setup is like;
> >
> > my private                                      my gateway
> > <<public>>      remote gw (cisco vpn 3000)               remote private
> > --------
> > -----------------------------------------
> > -------------------------------                     ----------------------
> >        |
> > |                                        |
> > |                              |                     |                   |
> >    10.5.125.105  === 10.5.125.100(eth1)     (eth0)58.58.58.58   >>*><*<<
> > 202.202.202.202        ?.?.?.? ==== 10.8.13.113    |
> >        |
> > |                                        |
> > |                              |                     |                   |
> > -------
> > -----------------------------------------
> > ------------------------------                      ----------------------
> >
> >
> > *My Config file*
> > config setup
> >         interfaces="ipsec0=eth0"
> >         plutodebug="all"
> >         nat_traversal=yes
> >
> > conn nattelenor
> >          type=tunnel
> >          authby=secret                   # secret key
> >          auth=esp
> >          pfs=no
> >          keylife=28800
> >          keyingtries=3
> >          auto=add
> >          ike=3des-md5-modp1024
> >          esp=3des-md5
> >          left=58.58.58.58             # my external, internet-routable
> > ip address, provided by NAT box=
> >          leftsubnet=10.5.125.105/32
> >          right=202.202.202.202              # my peer's external,
> > internet-routable ip address=
> >          rightsubnet=10.8.13.113/32
> >
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > *My ipsec verify result*
> >
> > Checking your system to see if IPsec got installed and started
> > correctly:
> > Version check and ipsec on-path                                 [OK]
> > Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)
> > Checking for IPsec support in kernel                            [OK]
> > NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]
> >
> >   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> >   or NETKEY will cause the sending of bogus ICMP redirects!
> >
> > NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]
> >
> >   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> >   or NETKEY will accept bogus ICMP redirects!
> >
> > Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> > Checking that pluto is running                                  [OK]
> > Two or more interfaces found, checking IP forwarding            [OK]
> > Checking NAT and MASQUERADEing                                  [OK]
> > Checking for 'ip' command                                       [OK]
> > Checking for 'iptables' command                                 [OK]
> > Opportunistic Encryption Support
> > [DISABLED]
> >
> >
> > Regards,
> > Hammad
> >
> >
> > On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <petermcgill at goco.net>
> > wrote:
> >
> > >  Did you add leftsourceip=leftlanip and rightsourceip=rightlanip?
> > > Without them you can only ping hosts other than the ipsec gateway,
> > > on the remote lan, and only from hosts on the local lan not the local
> > > ipsec gateway.
> > > Show us your ipsec.conf and ipsec verify.
> > >
> > > Peter McGill
> > >
> > >
> > >  ------------------------------
> > > *From:* users-bounces at openswan.org [mailto:users-bounces at openswan.org]
> > > *On Behalf Of *Khan, Hammad Aslam
> > > *Sent:* March 11, 2008 1:45 PM
> > > *To:* users at openswan.org
> > > *Subject:* [Openswan Users] Packets not passing through Tunnel
> > >
> > >   Hello everyone,
> > > My tunnel has been successfully established (both ISAKMP and IPSEC are
> > > UP);
> > > but when I try to ping/telnet remote end's private network PC i dont
> > > get any response.,
> > >
> > > Using *tcpdump -i eth0 *(which is my public interface of GW) it shows
> > > that GW is querying internet for remote-private-nw using ARP. No ESP packets
> > > are seen...
> > >
> > > I added a route of
> > > # route add <remote-private-ip> gw <remote-public-ip>
> > > ...but still, i see the same result?
> > >
> > > Please help.
> > >
> > > Regards,
> > > Hammad
> > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080313/1522ccd9/attachment-0001.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: iptables
Url: http://lists.openswan.org/pipermail/users/attachments/20080313/1522ccd9/attachment-0001.pl 


More information about the Users mailing list