[Openswan Users] Routing Lans between 2 Machines.
Martin Rheumer
martinr at benon.com
Tue May 12 18:42:01 EDT 2009
Paul,
This was one of the things I kept thinking.. The PC that is my "pretend"
internet in the middle but I checked.
(thetester)[~]root# iptables -L -v -n
Chain INPUT (policy ACCEPT 116K packets, 15M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 11888 packets, 5922K bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 120K packets, 18M bytes)
pkts bytes target prot opt in out source
destination
and
(thetester)[~]root# iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 8410 packets, 1147K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 3911 packets, 347K bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 3349 packets, 295K bytes)
pkts bytes target prot opt in out source
destination
Then the same on pc1 ( mnl )
The iptables output as above
[root at mnl bin]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.14/K2.6.18-128.1.10.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
And on pc2 ( warehouse )
The iptables output as above
[root at warehouse log]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.14/K2.6.18-128.1.10.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Any more ideas ?
Thanks again
Martin
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Wednesday, May 13, 2009 3:43 AM
To: Martin Rheumer
Cc: users at openswan.org
Subject: Re: [Openswan Users] Routing Lans between 2 Machines.
On Tue, 12 May 2009, Martin Rheumer wrote:
> The connection gets established all ok..
>
> 117 "nettonet" #4: STATE_QUICK_I1: initiate
> 004 "nettonet" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode {ESP=>0x35f19368 <0x4229fbff xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
>
> But I get no routing or ability to traceroute etc.
You are likely NAT'ing the IPsec traffic by accident on one or both of
the gateways? Run ipsec verify for some sanity checks
Paul
More information about the Users
mailing list