[Openswan Users] Fedora 8 and Netscreen
petermcgill at goco.net
Thu May 8 15:03:55 EDT 2008
I believe the missing leftsourceip was half your problem, keep it.
I also noticed in your barf that your MASQing on ppp0.
> Chain POSTROUTING (policy ACCEPT 68625 packets, 6027K bytes)
> pkts bytes target prot opt in out source destination
> 1643 531K MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
> 1279K 79M MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
This is undoing what leftsourceip does, making it ineffective.
You fix it by exempting your ipsec traffic from the MASQing.
In your firewall script you should have a rule similar too...
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Insert the following rule before that existing rule.
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.3.1/32 -d 22.214.171.124/32 -j ACCEPT
This will exempt your vpn traffic from the MASQ rule, which you should always do.
IT Systems Analyst
Gra Ham Energy Limited
> -----Original Message-----
> From: Michael Lavallee [mailto:mlavalle at hotmail.com]
> Sent: May 8, 2008 2:43 PM
> To: petermcgill at goco.net; users at openswan.org
> Subject: Re: [Openswan Users] Fedora 8 and Netscreen
> Peter McGill wrote:
> > However, the subnet definitions your using only route traffic
> > between two computers (192.168.3.1 and 126.96.36.199)
> through the tunnel.
> > All other traffic will use the internet without encryption.
> > You need to run the traceroute and telnet from your
> 192.168.3.1 machine.
> > And you can only communicate with 188.8.131.52 on the
> remote end, nothing else.
> > If 192.168.3.1 is also the computer which runs openswan
> then add this:
> > leftsourceip=192.168.3.1
> > Otherwise linux will default to the internet address as the
> source and it won't go
> > through the tunnel.
> 192.168.3.1 is the computer that runs openswan, so I added the
> leftsourceip and restarted the service and the tunnel came back up
> okay. From that box (192.168.3.1) I tried to telnet to the
> other side
> (184.108.40.206) but it failed, so I ran a traceroute, and it still
> shows the traffic going outside the tunnel, which from what I think I
> know, is wrong.
> traceroute to 220.127.116.11 (18.104.22.168), 30 hops max, 40 byte
> 1 nrba-dsl.onlink.net (22.214.171.124) 28.219 ms 28.181 ms
> 29.970 ms
> 2 10.127.2.1 (10.127.2.1) 32.134 ms 34.034 ms 37.471 ms
> 3 10.127.0.22 (10.127.0.22) 37.885 ms 39.817 ms 41.228 ms
> 4 sdbrem02.ontera.ca (126.96.36.199) 42.153 ms * *
> 5 * * *
> I have the ipsec_barf, I wasn't sure if it was appropriate to post it
> here (message size) so I stuck it up at
More information about the Users