[Openswan Users] Old user having troubles with new techniques
Willie Gillespie
wgillespie+openswan at es2eng.com
Mon Jun 28 14:44:30 EDT 2010
Larry Brown wrote:
> So I am able to create the tunnel from the roadwarrior successfully. I
> send out a ping from the roadwarrior to the 172.16.0.4 server with no
> response. Sniffing traffic on the roadwarrior gateway I can see the
> packets source 192.168.2.1 destination 10.45.212.71 as ESP packets. On
> the Office gateway I can see the ESP packets from 10.45.212.101
> arriving. Imediately after those packets I see the ICMP packet from
> 192.168.2.1 destination 172.16.0.4 on eth0 (external interface). I do
> not see a packet on eth1 of that gateway bound for 172.16.0.4. There is
> no firewall enabled.
Sounds like your IPsec tunnel is working properly. Are you sure there
is no firewall on your office gateway (10.45.212.71)?
/proc/sys/net/ipv4/ip_forward needs to be 1, which I'm sure it is if
it's acting as a NAT. Is there an iptables rule which is allowing
packets from 192.168.2.1 to get through to 172.16.0.4?
Perhaps something like this?
-A FORWARD -i eth0 -o eth1 -m policy --pol ipsec --dir in -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
If you truly don't have a firewall on your gateway, then I'm not exactly
sure what's going on.
Willie
More information about the Users
mailing list