[Openswan Users] Openswan AND fortigate 60b Vs Iptables
Erich Titl
erich.titl at think.ch
Thu Jul 1 02:05:24 EDT 2010
Hi
at 01.07.2010 06:06, Ing. Rodrigo Fernandez wrote:
> Hello pals!!
>
>
>
> Since I finally got with the new release of openswan more stability in
> my tunnel, I run out in a new “curious thing” see with this rules:
>
>
>
> # allow IPsec
>
> # IKE negotiations
>
> iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
>
> iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>
> # ESP encryption and authentication
>
> iptables -I INPUT -p 50 -j ACCEPT
>
> iptables -I OUTPUT -p 50 -j ACCEPT
>
>
>
> /sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.9.201.0/24 -d !
> 10.0.254.0/24 -j MASQUERADE
>
>
>
> Sysctl –p :
>
>
>
> net.ipv4.ip_forward = 1
>
>
>
> and a little bit of my conf of ipsec tunnel:
>
>
>
> left=mydndns1
>
> leftid=192.9.201.254
>
> leftnexthop=192.9.201.254
>
> leftsubnet=192.9.201.0/24
>
> right=myfortinetdyndns2
>
> rightid=%any
>
> rightnexthop=10.0.254.254
>
> rightsubnet=10.0.254.0/24
>
>
>
> with this sample rules I got this scenario:
>
>
>
> hosts behind my linux firewall (is the gateway and has the ipsec
> installed directly): Can ping across the tunnel with responses
>
> hosts behind fortigate 60b : can ping across the tunnel
>
> my linux firewall: Cant ping anything across tunnel
>
> my fortigate router: Cant ping anything across tunnel
>
>
>
> im thinking that I need a firewall rule but I don’t know how to perform
> it, any idea?
You need a bit more specific routing, see
http://www.av8n.com/security/iproute2.htm
cheers
Erich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3409 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20100701/21fafa37/attachment.bin
More information about the Users
mailing list