[Openswan Users] Roadwarrior setup only works from Server to Client

Markus Ewald cygon at nuclex.org
Tue Dec 7 05:13:35 EST 2010 

  Hi!

I'm struggling to get an IPsec VPN from a local client (with dynamic IP) 
to a remote server (provided through a LANCOM router) working. The 
client successfully connects to the VPN, but is then unable to ping the 
server -- whereas the server *can* ping the client.

My local client (Linux PC with OpenSwan)
- Interface ppp0 with public (but dynamic) IP
- Interface eth0 (LAN) with IP 192.168.124.1
- Provides NAT for other LAN participants

Server I connect to (LANCOM router)
- Static public IP a.b.c.d
- Routes to LAN 192.168.248.1

Here's what I have in my ipsec.conf:

conn nwsi
     left=%defaultroute # dynamic IP
     leftid=@myid
     leftsubnet=192.168.124.0/24
     right=a.b.c.d
     rightid=@serverid
     rightsubnet=192.168.248.0/24
     # ...encryption-related settings...

After establishing a connection, OpenSwan adds this route:

Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
192.168.248.0   *               255.255.255.0   U     0      0        0 ppp0

I'm not sure having '*' as gateway is right. Should that be 192.168.248.1?
My firewall is set up like this:

    # Don't filter LAN traffic, we trust the LAN
    iptables -A INPUT -i eth0 -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT

    # Enable incoming pings
    iptables -A INPUT -i ppp0 -s 0/0 -p icmp --icmp-type 8 -j ACCEPT

    # Deny any packet coming in on the public internet interfaces
    # claiming to be from our local network:
    iptables -A INPUT -i ppp0 -s 192.168.124.0/24 -j DROP
    iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP

    # Allow already established connections
    iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow incoming IPsec traffic
    iptables -A INPUT -i ppp0 -p udp --dport 500 -m state --state NEW -j
    ACCEPT
    iptables -A INPUT -i ppp0 -p udp --dport 4500 -m state --state NEW
    -j ACCEPT
    iptables -A INPUT -i ppp0 -p esp -m state --state NEW -j ACCEPT
    iptables -A INPUT -i ppp0 -p ah -m state --state NEW -j ACCEPT

    # Reject everything else
    iptables -A INPUT -j REJECT

    # Allow server to be used as a gateway to the internet
    iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

    # Forward packets for established connections back to the sender
    iptables -A FORWARD -i ppp0 -o eth0 -m state --state
    ESTABLISHED,RELATED -j ACCEPT

    # Reject everything else
    iptables -A FORWARD -j REJECT

    # Perform NAT for any packets routed to us targeting ppp0
    iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
    #iptables -A POSTROUTING -t nat -o ppp0 ! -d 192.168.248.0/24 -j
    MASQUERADE

I tried running 'tcpdump | grep 248' while pinging (and attempting to 
access a HTTP server in the 248 net) but no output is generated.
Can anyone spot the problem or give me any hints how I could debug this 
further?

-Markus-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101207/5bcd25f1/attachment-0001.html

More information about the Users mailing list