[Openswan Users] Openswan AND fortigate 60b Vs Iptables

Ing. Rodrigo Fernandez rfernandez_net at yahoo.com.mx
Thu Jul 1 00:06:33 EDT 2010

Hello pals!!


Since I finally got with the new release of openswan more stability in my
tunnel, I run out in a new "curious thing" see with this rules:


# allow IPsec

# IKE negotiations

iptables -I INPUT  -p udp --sport 500 --dport 500 -j ACCEPT

iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT

# ESP encryption and authentication

iptables -I INPUT  -p 50 -j ACCEPT

iptables -I OUTPUT -p 50 -j ACCEPT


/sbin/iptables -t nat -A POSTROUTING -o ppp0 -s -d ! -j MASQUERADE


Sysctl -p :


net.ipv4.ip_forward = 1


and a little bit of my conf of ipsec tunnel:











with this sample rules I got this scenario:


hosts behind my linux firewall (is the gateway and has the ipsec installed
directly): Can ping across the tunnel with responses

hosts behind fortigate 60b : can ping across the tunnel

my linux firewall: Cant ping anything across tunnel

my fortigate router: Cant ping anything across tunnel


im thinking that I need a firewall rule but I don't know how to perform it,
any idea? I tried this one but without success:


iptables -A FORWARD -s -d -j ACCEPT

iptables -A FORWARD -s -d -j ACCEPT

iptables - A INPUT -s -d -j ACCEPT

iptables -A INPUT  -s -d -j ACCEPT

iptables -A OUTPUT -s -d -j ACCEPT

iptables - A OUTPUT -s -d -j ACCEPT}


any help will be much appreciated, thank you!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100630/42a99425/attachment-0001.html 

More information about the Users mailing list