[Openswan Users] Problems with IP routing ctd..
Randy Wyatt
rwyatt at nvtl.com
Tue Sep 22 13:29:54 EDT 2009
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Tuesday, September 22, 2009 10:27 AM
To: Randy Wyatt
Cc: users at openswan.org
Subject: Re: [Openswan Users] Problems with IP routing ctd..
On Mon, 21 Sep 2009, Randy Wyatt wrote:
> We are able to access the left subnet from the right but not vice versa.
>
> I believe everything except the hostname has been corrected from the previous thread.
>
> We still have not had any success.
>
>
> The barf output is located at http://www.rwwyatt.com/barf.out
I see from it:
hain POSTROUTING (policy ACCEPT 4 packets, 531 bytes)
pkts bytes target prot opt in out source destination
49 3324 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ppp0 192.168.1.0/24 !10.0.1.0/24
Note that the lower two MASQUERADE rules will never hit. So the exception for packets
going to 10.0.1.0/24 is never used. Note how it says 0 bytes have hit that rule,
yet 3324 bytes have hit the MASQUERADE rule that breaks IPsec tunnels.
However, you are not htting that problem yet according to your logs:
Sep 21 15:19:37 (none) authpriv.warn pluto[1665]: "att-to-home" #2: STATE_MAIN_I2: sent MI2, expecting MR2
That's the last message of your client. It meeans the responder on the
other end silently dropped your last packet. It will likely log why it
did so. So check the logs on the other end.
Paul
[Randy Wyatt]
It seems we got around the problem by flushing the NAT tables:
iptables -t nat --flush and everything works. Thank you for all of the help.
Regards,
Randy
More information about the Users
mailing list