[Openswan Users] ipsec with zywall : can't ping

Issany Reza issanyr at gmail.com
Thu Nov 20 10:13:34 EST 2008


It's ok now. Thanks.

On Thu, Nov 20, 2008 at 3:12 PM, Peter McGill <petermcgill at goco.net> wrote:

> Reza,
>
> Your firewall rules are wrong, IPSec uses protocol 50 not port 50.
> The IPSec permit rules should look like this:
> iptables -A INPUT -i eth1 -p 50 -j ACCEPT
> iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT
>
> Did you permit the subnet traffic through your firewall?
> You must do that for the traffic to pass.
> If using NETKEY:
> iptables -A INPUT -i eth1 -s 192.168.10.0/24 -j ACCEPT
> iptables -A FORWARD -i eth1 -s 192.168.10.0/24 -j ACCEPT
> If using KLIPS then substitute eth1 for ipsec0.
> Or better yet for NETKEY, mark the incoming IPSec packets, then
> permit marked packets on INPUT and FORWARD.
>
> Peter
>
> Issany Reza wrote:
>
>> Hello,
>>
>> I'm trying to configure ipsec with a zywall 2 plus router.
>> I have successfully connect the zywall to my openswan box (debian +
>> openswan).
>> I'm using NETKEY The server is a server that only have the public
>> interface. I have created new one :
>>
>> 192.168.2.1/24 <http://192.168.2.1/24> ---- public ip of openswanbox
>> --------- BOX  ------------------ public ip of zywall --- 192.168.10.0/24<
>> http://192.168.10.0/24>
>>
>> 000 #4: "techvar":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
>> EVENT_SA_REPLACE in 27737s; newest IPSEC; eroute owner; isakmp#1; idle;
>> import:admin initiate
>> 000 #4: "techvar" esp.531534b at 217.128.239.227 <mailto:
>> esp.531534b at 217.128.239.227> esp.fea97a54 at 88.191.91.113 <mailto:
>> esp.fea97a54 at 88.191.91.113> tun.0 at 217.128.239.227 <mailto:
>> tun.0 at 217.128.239.227> tun.0 at 88.191.91.113 <mailto:tun.0 at 88.191.91.113>
>> ref=0 refhim=4294901761
>> 000 #1: "techvar":500 STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 2330s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle;
>> import:admin initiate
>>
>> But, from each side, I can't ping any of other LAN subnet.
>>
>> I I had this route in the zywall :
>>
>> Destination
>> 192.168.2.0 <http://192.168.2.0> / 255.255.255.0 <http://255.255.255.0>
>>
>> Gateway
>> 192.168.10.1 <http://192.168.10.1>
>>
>> I can ping the server (192.168.2.1 <http://192.168.2.1>).
>>
>> If I add this route in the server :
>> route add -net 192.168.10.0/24 <http://192.168.10.0/24> gw 192.168.2.1 <
>> http://192.168.2.1>
>>
>> I can ping the router (192.168.10.1 <http://192.168.10.1>) but I can't
>> ping any of PC connected in the subnet 192.168.10.0/24 <
>> http://192.168.10.0/24>
>>
>> conn techvar
>>        #local
>>        left=88.191.91.113 <http://88.191.91.113>
>>        leftsubnet=192.168.2.0/24 <http://192.168.2.0/24>
>>        leftid=88.191.91.113 <http://88.191.91.113>
>>        authby=secret
>>        pfs=yes
>>        auth=esp
>>        aggrmode=no
>>        disablearrivalcheck=no
>>        esp=3des-md5-96
>>        # remote
>>        right=217.128.239.227 <http://217.128.239.227>
>>        rightsubnet=192.168.10.0/24 <http://192.168.10.0/24>
>>        rightid=217.128.239.227 <http://217.128.239.227>
>>        auto=start
>>
>> I'm using iptables on the server :
>> # IPSEC
>> iptables -A INPUT -i eth1 -p tcp --dport 50 -j ACCEPT
>> iptables -A INPUT -i eth1 -p tcp --dport 51 -j ACCEPT
>> iptables -A INPUT -i eth1 -p udp --destination-port 500 -j ACCEPT
>>
>> Any idea to solve this probem ?
>> --
>> - reza -
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>


-- 
- reza -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081120/fb2088e8/attachment.html 


More information about the Users mailing list