[Openswan Users] ipsec with zywall : can't ping

Peter McGill petermcgill at goco.net
Thu Nov 20 09:12:15 EST 2008 

Reza,

Your firewall rules are wrong, IPSec uses protocol 50 not port 50.
The IPSec permit rules should look like this:
iptables -A INPUT -i eth1 -p 50 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT

Did you permit the subnet traffic through your firewall?
You must do that for the traffic to pass.
If using NETKEY:
iptables -A INPUT -i eth1 -s 192.168.10.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.10.0/24 -j ACCEPT
If using KLIPS then substitute eth1 for ipsec0.
Or better yet for NETKEY, mark the incoming IPSec packets, then
permit marked packets on INPUT and FORWARD.

Peter

Issany Reza wrote:
> Hello,
> 
> I'm trying to configure ipsec with a zywall 2 plus router.
> I have successfully connect the zywall to my openswan box (debian + 
> openswan).
> I'm using NETKEY The server is a server that only have the public 
> interface. I have created new one :
> 
> 192.168.2.1/24 <http://192.168.2.1/24> ---- public ip of openswanbox 
> --------- BOX  ------------------ public ip of zywall --- 
> 192.168.10.0/24 <http://192.168.10.0/24>
> 
> 000 #4: "techvar":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
> EVENT_SA_REPLACE in 27737s; newest IPSEC; eroute owner; isakmp#1; idle; 
> import:admin initiate
> 000 #4: "techvar" esp.531534b at 217.128.239.227 
> <mailto:esp.531534b at 217.128.239.227> esp.fea97a54 at 88.191.91.113 
> <mailto:esp.fea97a54 at 88.191.91.113> tun.0 at 217.128.239.227 
> <mailto:tun.0 at 217.128.239.227> tun.0 at 88.191.91.113 
> <mailto:tun.0 at 88.191.91.113> ref=0 refhim=4294901761
> 000 #1: "techvar":500 STATE_MAIN_I4 (ISAKMP SA established); 
> EVENT_SA_REPLACE in 2330s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); 
> idle; import:admin initiate
> 
> But, from each side, I can't ping any of other LAN subnet.
> 
> I I had this route in the zywall :
> 
> Destination
> 192.168.2.0 <http://192.168.2.0> / 255.255.255.0 <http://255.255.255.0>
> 
> Gateway
> 192.168.10.1 <http://192.168.10.1>
> 
> I can ping the server (192.168.2.1 <http://192.168.2.1>).
> 
> If I add this route in the server :
> route add -net 192.168.10.0/24 <http://192.168.10.0/24> gw 192.168.2.1 
> <http://192.168.2.1>
> 
> I can ping the router (192.168.10.1 <http://192.168.10.1>) but I can't 
> ping any of PC connected in the subnet 192.168.10.0/24 
> <http://192.168.10.0/24>
> 
> conn techvar
>         #local
>         left=88.191.91.113 <http://88.191.91.113>
>         leftsubnet=192.168.2.0/24 <http://192.168.2.0/24>
>         leftid=88.191.91.113 <http://88.191.91.113>
>         authby=secret
>         pfs=yes
>         auth=esp
>         aggrmode=no
>         disablearrivalcheck=no
>         esp=3des-md5-96
>         # remote
>         right=217.128.239.227 <http://217.128.239.227>
>         rightsubnet=192.168.10.0/24 <http://192.168.10.0/24>
>         rightid=217.128.239.227 <http://217.128.239.227>
>         auto=start
> 
> I'm using iptables on the server :
> # IPSEC
> iptables -A INPUT -i eth1 -p tcp --dport 50 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 51 -j ACCEPT
> iptables -A INPUT -i eth1 -p udp --destination-port 500 -j ACCEPT
> 
> Any idea to solve this probem ?
> -- 
> - reza -
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list