[Openswan Users] weird problem

Maverick maverick.pt at gmail.com
Thu Sep 24 17:56:46 EDT 2009 

Ok, now i'm not nating the ipsec interface anymore, and i even changed from
klips back to netkey.

I still can't access the other site networks, but they can access my lan.

I've seen that even if I put my LAN ip on the left parameter ipsec doesn't
use nat_traversal, it seems it adopts my WAN1 ip address because it is the
leftid.

Any ideas?


My IPs:

LAN - eth0 - 192.168.2.254
WAN - eth3 - 84.138.246.190

----------------------------

ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:192.168.2.0/24
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey
        plutostderrlog=/var/log/ipsec.log

include /etc/ipsec.d/*.conf

-------------------------

mytunnel conf:

conn cisco
        type=tunnel
        authby=secret
        left=192.168.2.254
        leftsubnet=192.168.2.0/24
        leftid=84.138.246.190
        right=194.61.122.79
        rightsubnets={10.112.15.40/32, 10.112.15.3/32, 10.112.15.123/32,
10.112.15.171/32}         			  rightid=194.61.122.79
        keyexchange=ike
        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        pfs=yes
        auto=add

------------------------------

Iptables:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.2.0/24 -o eth3 -j MASQUERADE
-A PREROUTING -i eth3 -p tcp -m tcp -m multiport --dports
25,80,443,465,993,1194,3000 -j DNAT --to-destination 192.168.2.253
-A PREROUTING -i eth3 -p udp -m udp -m multiport --dports 1194 -j DNAT
--to-destination 192.168.2.253
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp -m multiport --dports
22,902,3260,5901,9222,9333 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp -m multiport --dports
161,162,177 -j ACCEPT
-A INPUT -i eth3 -m state --state NEW -m tcp -p tcp -m multiport --dports
25,465,993,1194,3000 -j ACCEPT
-A INPUT -i eth3 -m state --state NEW -m udp -p udp -m multiport --dports
1194 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -o eth3 -j ACCEPT
-A FORWARD -i eth3 -m state --state NEW -m tcp -p tcp -d 192.168.2.253 -m
multiport --dports 25,80,443,465,993,1194,3000 -j ACCEPT
-A FORWARD -i eth3 -m state --state NEW -m udp -p udp -d 192.168.2.253 -m
multiport --dports 1194
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: sábado, 12 de Setembro de 2009 21:43
To: Maverick
Cc: users at openswan.org
Subject: RE: [Openswan Users] weird problem

On Sat, 12 Sep 2009, Maverick wrote:

> Ok, but that POSTROUTING rule i added after I detected the problem, I just
> removed it again and I still can't access the machines on the other side
of
> the tunnel.

The other one is also a problem. You need to exlude the remote subnet
from being NAT'ed using -d \!a.b.c.0/24

Paul

More information about the Users mailing list