[Openswan Users] weird problem

Marek Greško gresko at thr.sk
Fri Sep 25 03:56:48 EDT 2009


Dňa Št 24. September 2009 Maverick napísal:
> Ok, now i'm not nating the ipsec interface anymore, and i even changed from
> klips back to netkey.
> 
> I still can't access the other site networks, but they can access my lan.
> 
> I've seen that even if I put my LAN ip on the left parameter ipsec doesn't
> use nat_traversal, it seems it adopts my WAN1 ip address because it is the
> leftid.
> 
> Any ideas?
> 
> 
> My IPs:
> 
> LAN - eth0 - 192.168.2.254
> WAN - eth3 - 84.138.246.190
> 
> ----------------------------
> 
> ipsec.conf:
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> config setup
>         nat_traversal=yes
>         # exclude networks used on server side by adding %v4:!a.b.c.0/24
>         virtual_private=%v4:192.168.2.0/24
>         # OE is now off by default. Uncomment and change to on, to enable.
>         oe=off
>         # which IPsec stack to use. netkey,klips,mast,auto or none
>         protostack=netkey
>         plutostderrlog=/var/log/ipsec.log
> 
> include /etc/ipsec.d/*.conf
> 
> -------------------------
> 
> mytunnel conf:
> 
> conn cisco
>         type=tunnel
>         authby=secret
>         left=192.168.2.254

left=84.138.246.190

>         leftsubnet=192.168.2.0/24

leftsourceip=192.168.2.254

>         leftid=84.138.246.190
>         right=194.61.122.79
>         rightsubnets={10.112.15.40/32, 10.112.15.3/32, 10.112.15.123/32,
> 10.112.15.171/32}         			  rightid=194.61.122.79
>         keyexchange=ike
>         ike=aes256-sha1-modp1024
>         esp=aes256-sha1
>         pfs=yes
>         auto=add
> 

Hope this helps.

M.


> ------------------------------
> 
> Iptables:
> 
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
> *nat
> 
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> 
> -A POSTROUTING -s 192.168.2.0/24 -o eth3 -j MASQUERADE
> -A PREROUTING -i eth3 -p tcp -m tcp -m multiport --dports
> 25,80,443,465,993,1194,3000 -j DNAT --to-destination 192.168.2.253
> -A PREROUTING -i eth3 -p udp -m udp -m multiport --dports 1194 -j DNAT
> --to-destination 192.168.2.253
> COMMIT
> *filter
> 
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> 
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp -m multiport --dports
> 22,902,3260,5901,9222,9333 -j ACCEPT
> -A INPUT -i eth0 -m state --state NEW -m udp -p udp -m multiport --dports
> 161,162,177 -j ACCEPT
> -A INPUT -i eth3 -m state --state NEW -m tcp -p tcp -m multiport --dports
> 25,465,993,1194,3000 -j ACCEPT
> -A INPUT -i eth3 -m state --state NEW -m udp -p udp -m multiport --dports
> 1194 -j ACCEPT
> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -p icmp -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -o eth3 -j ACCEPT
> -A FORWARD -i eth3 -m state --state NEW -m tcp -p tcp -d 192.168.2.253 -m
> multiport --dports 25,80,443,465,993,1194,3000 -j ACCEPT
> -A FORWARD -i eth3 -m state --state NEW -m udp -p udp -d 192.168.2.253 -m
> multiport --dports 1194
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> 
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: sábado, 12 de Setembro de 2009 21:43
> To: Maverick
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] weird problem
> 
> On Sat, 12 Sep 2009, Maverick wrote:
> > Ok, but that POSTROUTING rule i added after I detected the problem, I
> > just removed it again and I still can't access the machines on the other
> > side
> 
> of
> 
> > the tunnel.
> 
> The other one is also a problem. You need to exlude the remote subnet
> from being NAT'ed using -d \!a.b.c.0/24
> 
> Paul
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 


-- 
Marek Greško
systémový administrátor
THR Systems, a. s.
tel.: +421 650 52 00 24

Naša spoločnosť vytvára neustále nové pracovné miesta, preto neprehliadnite 
našu ponuku: http://www.thrsystems.com/2006/sk/ospolocnosti/index.php#kariera 


More information about the Users mailing list