[Openswan Users] Packets not passing through Tunnel
Khan, Hammad Aslam
raohammad at gmail.com
Wed Mar 12 16:42:55 EDT 2008
and what do you comment about my firewall settings?
Attached is more Formatted one... thanking in anticipation
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
spt:500 dpt:500
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
reject-with icmp-port-unreachable
6 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
reject-with icmp-port-unreachable
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
8 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:0:1023
9 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:0:1023
Chain FORWARD (policy DROP)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 10.5.0.0/16
2 ACCEPT all -- 10.5.0.0/16 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 10.5.0.0/16
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
spt:500 dpt:500
On Wed, Mar 12, 2008 at 8:56 PM, Peter McGill <petermcgill at goco.net> wrote:
> No, that should be working if ISAKMP SA and IPSec SA established.
>
> > A ping from 10.5.125.105 to 10.8.13.113 and vise-versa should work.
>
> Peter McGill
>
>
> ------------------------------
> *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> *Sent:* March 12, 2008 11:48 AM
>
> *To:* petermcgill at goco.net
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
>
> ok thanks but if i dont want my gateway to talk to remote private.
> Instead I just want to access remote private from my-private; will I be
> required to make changes even in that case?
>
> rgds,
> Hammad
>
> On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill <petermcgill at goco.net>
> wrote:
>
> > You cannot use route add or ip route add with openswan, you
> > must specify the traffic which uses the tunnel in left/rightsubnet(s).
> > To clarify where are you pinging/telneting from?
> > A ping from 10.5.125.105 to 10.8.13.113 and vise-versa should work.
> > A ping from 10.5.125.100 or 58.58.58.58 will not work because you
> > have not included them in leftsubnet.
> > Likewise a ping from 202.202.202.202 or ?.?.?.? to 10.5.. will not work.
> > Pings to 58... and 202... will work but not encrypted, plain internet.
> > If you want your gateway to be able to communicate with remote private
> > also, then change your conn as follows:
> > leftsourceip=10.5.125.100 # gw will use this instead of 58... to
> > talk to rem. priv.
> > leftsubnet=10.5.125.96/28 # you'll need to change subnet on cisco
> > too
> >
> > Peter McGill
> >
> >
> > ------------------------------
> > *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> > *Sent:* March 12, 2008 2:11 AM
> > *To:* petermcgill at goco.net
> > *Cc:* users at openswan.org
> > *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
> >
> > I already have enabled ip forwarding;
> > My Setup is like;
> >
> > my private my gateway
> > <<public>> remote gw (cisco vpn 3000) remote private
> > --------
> > -----------------------------------------
> > ------------------------------- ----------------------
> > |
> > | |
> > | | | |
> > 10.5.125.105 === 10.5.125.100(eth1) (eth0)58.58.58.58 >>*><*<<
> > 202.202.202.202 ?.?.?.? ==== 10.8.13.113 |
> > |
> > | |
> > | | | |
> > -------
> > -----------------------------------------
> > ------------------------------ ----------------------
> >
> >
> > *My Config file*
> > config setup
> > interfaces="ipsec0=eth0"
> > plutodebug="all"
> > nat_traversal=yes
> >
> > conn nattelenor
> > type=tunnel
> > authby=secret # secret key
> > auth=esp
> > pfs=no
> > keylife=28800
> > keyingtries=3
> > auto=add
> > ike=3des-md5-modp1024
> > esp=3des-md5
> > left=58.58.58.58 # my external, internet-routable
> > ip address, provided by NAT box=
> > leftsubnet=10.5.125.105/32
> > right=202.202.202.202 # my peer's external,
> > internet-routable ip address=
> > rightsubnet=10.8.13.113/32
> >
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > *My ipsec verify result*
> >
> > Checking your system to see if IPsec got installed and started
> > correctly:
> > Version check and ipsec on-path [OK]
> > Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)
> > Checking for IPsec support in kernel [OK]
> > NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
> >
> > Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> > or NETKEY will cause the sending of bogus ICMP redirects!
> >
> > NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
> >
> > Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> > or NETKEY will accept bogus ICMP redirects!
> >
> > Checking for RSA private key (/etc/ipsec.secrets) [OK]
> > Checking that pluto is running [OK]
> > Two or more interfaces found, checking IP forwarding [OK]
> > Checking NAT and MASQUERADEing [OK]
> > Checking for 'ip' command [OK]
> > Checking for 'iptables' command [OK]
> > Opportunistic Encryption Support
> > [DISABLED]
> >
> >
> > Regards,
> > Hammad
> >
> >
> > On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <petermcgill at goco.net>
> > wrote:
> >
> > > Did you add leftsourceip=leftlanip and rightsourceip=rightlanip?
> > > Without them you can only ping hosts other than the ipsec gateway,
> > > on the remote lan, and only from hosts on the local lan not the local
> > > ipsec gateway.
> > > Show us your ipsec.conf and ipsec verify.
> > >
> > > Peter McGill
> > >
> > >
> > > ------------------------------
> > > *From:* users-bounces at openswan.org [mailto:users-bounces at openswan.org]
> > > *On Behalf Of *Khan, Hammad Aslam
> > > *Sent:* March 11, 2008 1:45 PM
> > > *To:* users at openswan.org
> > > *Subject:* [Openswan Users] Packets not passing through Tunnel
> > >
> > > Hello everyone,
> > > My tunnel has been successfully established (both ISAKMP and IPSEC are
> > > UP);
> > > but when I try to ping/telnet remote end's private network PC i dont
> > > get any response.,
> > >
> > > Using *tcpdump -i eth0 *(which is my public interface of GW) it shows
> > > that GW is querying internet for remote-private-nw using ARP. No ESP packets
> > > are seen...
> > >
> > > I added a route of
> > > # route add <remote-private-ip> gw <remote-public-ip>
> > > ...but still, i see the same result?
> > >
> > > Please help.
> > >
> > > Regards,
> > > Hammad
> > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080313/1522ccd9/attachment-0001.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: iptables
Url: http://lists.openswan.org/pipermail/users/attachments/20080313/1522ccd9/attachment-0001.pl
More information about the Users
mailing list