[Openswan Users] Fedora 8 and Netscreen

Peter McGill petermcgill at goco.net
Thu May 8 15:03:55 EDT 2008 

Michael,

I believe the missing leftsourceip was half your problem, keep it.

I also noticed in your barf that your MASQing on ppp0.
> Chain POSTROUTING (policy ACCEPT 68625 packets, 6027K bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>  1643  531K MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
> 1279K   79M MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           

This is undoing what leftsourceip does, making it ineffective.
You fix it by exempting your ipsec traffic from the MASQing.
In your firewall script you should have a rule similar too...
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Insert the following rule before that existing rule.
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.3.1/32 -d 192.127.220.100/32 -j ACCEPT
This will exempt your vpn traffic from the MASQ rule, which you should always do.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: Michael Lavallee [mailto:mlavalle at hotmail.com] 
> Sent: May 8, 2008 2:43 PM
> To: petermcgill at goco.net; users at openswan.org
> Subject: Re: [Openswan Users] Fedora 8 and Netscreen
> 
> Peter McGill wrote:
> > However, the subnet definitions your using only route traffic
> > between two computers (192.168.3.1 and 192.127.220.100) 
> through the tunnel.
> > All other traffic will use the internet without encryption.
> > You need to run the traceroute and telnet from your 
> 192.168.3.1 machine.
> > And you can only communicate with 192.127.220.100 on the 
> remote end, nothing else.
> > If 192.168.3.1 is also the computer which runs openswan 
> then add this:
> > 	leftsourceip=192.168.3.1
> > Otherwise linux will default to the internet address as the 
> source and it won't go
> > through the tunnel.
> >   
> 
> 192.168.3.1 is the computer that runs openswan, so I added the 
> leftsourceip and restarted the service and the tunnel came back up 
> okay.  From that box (192.168.3.1) I tried to telnet to the 
> other side 
> (192.127.220.100) but it failed, so I ran a traceroute, and it still 
> shows the traffic going outside the tunnel, which from what I think I 
> know, is wrong.
> 
> traceroute to 192.127.220.100 (192.127.220.100), 30 hops max, 40 byte 
> packets
>  1  nrba-dsl.onlink.net (209.105.204.1)  28.219 ms  28.181 ms 
>  29.970 ms
>  2  10.127.2.1 (10.127.2.1)  32.134 ms  34.034 ms  37.471 ms
>  3  10.127.0.22 (10.127.0.22)  37.885 ms  39.817 ms  41.228 ms
>  4  sdbrem02.ontera.ca (209.105.192.217)  42.153 ms * *
>  5  * * *
>  
> I have the ipsec_barf, I wasn't sure if it was appropriate to post it 
> here (message size) so I stuck it up at 
> http://www.stellarimagination.com/ipsec_barf.txt

More information about the Users mailing list