[Openswan Users] Openswan AND fortigate 60b Vs Iptables
Ing. Rodrigo Fernandez
rfernandez_net at yahoo.com.mx
Thu Jul 1 00:06:33 EDT 2010
Hello pals!!
Since I finally got with the new release of openswan more stability in my
tunnel, I run out in a new "curious thing" see with this rules:
# allow IPsec
# IKE negotiations
iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.9.201.0/24 -d !
10.0.254.0/24 -j MASQUERADE
Sysctl -p :
net.ipv4.ip_forward = 1
and a little bit of my conf of ipsec tunnel:
left=mydndns1
leftid=192.9.201.254
leftnexthop=192.9.201.254
leftsubnet=192.9.201.0/24
right=myfortinetdyndns2
rightid=%any
rightnexthop=10.0.254.254
rightsubnet=10.0.254.0/24
with this sample rules I got this scenario:
hosts behind my linux firewall (is the gateway and has the ipsec installed
directly): Can ping across the tunnel with responses
hosts behind fortigate 60b : can ping across the tunnel
my linux firewall: Cant ping anything across tunnel
my fortigate router: Cant ping anything across tunnel
im thinking that I need a firewall rule but I don't know how to perform it,
any idea? I tried this one but without success:
iptables -A FORWARD -s 192.9.201.0/24 -d 10.0.254.0/24 -j ACCEPT
iptables -A FORWARD -s 10.0.254.0/24 -d 192.9.201.0/24 -j ACCEPT
iptables - A INPUT -s 192.9.201.0/24 -d 10.0.254.0/24 -j ACCEPT
iptables -A INPUT -s 10.0.254.0/24 -d 192.9.201.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.9.201.0/24 -d 10.0.254.0/24 -j ACCEPT
iptables - A OUTPUT -s 10.0.254.0/24 -d 192.9.201.0/24 -j ACCEPT}
any help will be much appreciated, thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100630/42a99425/attachment-0001.html
More information about the Users
mailing list