[Openswan Users] can ping from one side of tunnel but not from theother
matt.bazan at comcast.net
matt.bazan at comcast.net
Thu Nov 18 20:12:31 EST 2010
holy F! i restarted openswan on both boxes (after adding esp and ah back to both iptables rulesets) and the tunnel came up! thanks willie i owe you a beer.
..not sure what caused openswan to take a 'dive' but the fact that i needed to restart it causes me to doubt the integrity of the tunnel..
-m
----- "matt bazan" <matt.bazan at comcast.net> wrote:
> ahhh..i just did an iptables -L listing again and those esp/ah/isakmp
> lines are not there. do they only show up when the tunnel is active
> for some reason?
>
> also, now when i try to ping from the right hand side (which was
> working) im getting:
>
> 'ping: sendmsg: Operation not permitted' say what?!
>
> is openswan alwasy this tough to get running? thx-
> ----- "Willie Gillespie" <wgillespie+openswan at es2eng.com> wrote:
>
> > Your packet filter on openswan-right is dropping protocol 50 (ESP)
> > packets.
> >
> > Notice on "ubuntuFW" that you have:
> > ACCEPT esp -- anywhere anywhere
> > ACCEPT ah -- anywhere anywhere
> >
> > I don't see that on "ellis"
> >
> > matt.bazan at comcast.net wrote:
> > > here are the relevant details:
> > >
> > > RIGHT HAND SIDE:
> > >
> > > openswan-right at ellis:~$ sudo ipsec verify
> > > Checking your system to see if IPsec got installed and started
> > correctly:
> > > Version check and ipsec on-path [OK]
> > > Linux Openswan U2.6.23/K2.6.32-24-server (netkey)
> > > Checking for IPsec support in kernel [OK]
> > > NETKEY detected, testing for disabled ICMP send_redirects
> > [FAILED]
> > >
> > > Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> > > or NETKEY will cause the sending of bogus ICMP redirects!
> > >
> > > NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> > > Checking for RSA private key (/etc/ipsec.secrets) [OK]
> > > Checking that pluto is running [OK]
> > > Pluto listening for IKE on udp 500 [OK]
> > > Pluto listening for NAT-T on udp 4500 [OK]
> > > Two or more interfaces found, checking IP forwarding [OK]
> > > Checking NAT and MASQUERADEing
> > > Checking for 'ip' command [OK]
> > > Checking for 'iptables' command [OK]
> > > Opportunistic Encryption Support
> > [DISABLED]
> > >
> > >
> >
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > openswan-right at ellis:~$ sudo iptables -L
> > > Chain INPUT (policy DROP)
> > > target prot opt source destination
> > > ufw-before-logging-input all -- anywhere anywhere
> >
> > > ufw-before-input all -- anywhere anywhere
> >
> > > ufw-after-input all -- anywhere anywhere
> > > ufw-after-logging-input all -- anywhere anywhere
> >
> > > ufw-reject-input all -- anywhere anywhere
> >
> > > ufw-track-input all -- anywhere anywhere
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target prot opt source destination
> > > ufw-before-logging-forward all -- anywhere anywhere
> >
> > > ufw-before-forward all -- anywhere anywhere
> >
> > > ufw-after-forward all -- anywhere anywhere
> >
> > > ufw-after-logging-forward all -- anywhere anywhere
> >
> > > ufw-reject-forward all -- anywhere anywhere
> >
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > > ufw-before-logging-output all -- anywhere anywhere
> >
> > > ufw-before-output all -- anywhere anywhere
> >
> > > ufw-after-output all -- anywhere anywhere
> >
> > > ufw-after-logging-output all -- anywhere anywhere
> >
> > > ufw-reject-output all -- anywhere anywhere
> >
> > > ufw-track-output all -- anywhere anywhere
> >
> > >
> > > Chain ufw-after-forward (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-after-input (1 references)
> > > target prot opt source destination
> > > ufw-skip-to-policy-input udp -- anywhere anywhere
> > udp dpt:netbios-ns
> > > ufw-skip-to-policy-input udp -- anywhere anywhere
> > udp dpt:netbios-dgm
> > > ufw-skip-to-policy-input tcp -- anywhere anywhere
> > tcp dpt:netbios-ssn
> > > ufw-skip-to-policy-input tcp -- anywhere anywhere
> > tcp dpt:microsoft-ds
> > > ufw-skip-to-policy-input udp -- anywhere anywhere
> > udp dpt:bootps
> > > ufw-skip-to-policy-input udp -- anywhere anywhere
> > udp dpt:bootpc
> > > ufw-skip-to-policy-input all -- anywhere anywhere
> > ADDRTYPE match dst-type BROADCAST
> > >
> > > Chain ufw-after-logging-forward (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-after-logging-input (1 references)
> > > target prot opt source destination
> > > LOG all -- anywhere anywhere
> limit:
> > avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
> > >
> > > Chain ufw-after-logging-output (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-after-output (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-before-forward (1 references)
> > > target prot opt source destination
> > > ufw-user-forward all -- anywhere anywhere
> >
> > >
> > > Chain ufw-before-input (1 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABLISHED
> > > ufw-logging-deny all -- anywhere anywhere
> > state INVALID
> > > DROP all -- anywhere anywhere state
> > INVALID
> > > ACCEPT icmp -- anywhere anywhere icmp
> > destination-unreachable
> > > ACCEPT icmp -- anywhere anywhere icmp
> > source-quench
> > > ACCEPT icmp -- anywhere anywhere icmp
> > time-exceeded
> > > ACCEPT icmp -- anywhere anywhere icmp
> > parameter-problem
> > > ACCEPT icmp -- anywhere anywhere icmp
> > echo-request
> > > ACCEPT udp -- anywhere anywhere udp
> > spt:bootps dpt:bootpc
> > > ufw-not-local all -- anywhere anywhere
> > > ACCEPT all -- BASE-ADDRESS.MCAST.NET/4 anywhere
> > > ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4
> > > ufw-user-input all -- anywhere anywhere
> > >
> > > Chain ufw-before-logging-forward (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-before-logging-input (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-before-logging-output (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-before-output (1 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABLISHED
> > > ufw-user-output all -- anywhere anywhere
> > >
> > > Chain ufw-logging-allow (0 references)
> > > target prot opt source destination
> > > LOG all -- anywhere anywhere
> limit:
> > avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] '
> > >
> > > Chain ufw-logging-deny (2 references)
> > > target prot opt source destination
> > > RETURN all -- anywhere anywhere state
> > INVALID limit: avg 3/min burst 10
> > > LOG all -- anywhere anywhere
> limit:
> > avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
> > >
> > > Chain ufw-not-local (1 references)
> > > target prot opt source destination
> > > RETURN all -- anywhere anywhere
> > ADDRTYPE match dst-type LOCAL
> > > RETURN all -- anywhere anywhere
> > ADDRTYPE match dst-type MULTICAST
> > > RETURN all -- anywhere anywhere
> > ADDRTYPE match dst-type BROADCAST
> > > ufw-logging-deny all -- anywhere anywhere
> > limit: avg 3/min burst 10
> > > DROP all -- anywhere anywhere
> > >
> > > Chain ufw-reject-forward (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-reject-input (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-reject-output (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-skip-to-policy-forward (0 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain ufw-skip-to-policy-input (7 references)
> > > target prot opt source destination
> > > DROP all -- anywhere anywhere
> > >
> > > Chain ufw-skip-to-policy-output (0 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain ufw-track-input (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-track-output (1 references)
> > > target prot opt source destination
> > > ACCEPT tcp -- anywhere anywhere state
> > NEW
> > > ACCEPT udp -- anywhere anywhere state
> > NEW
> > >
> > > Chain ufw-user-forward (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-user-input (1 references)
> > > target prot opt source destination
> > > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:ssh
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:ssh
> > > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:22022
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:22022
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:isakmp
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:4500
> > >
> > > Chain ufw-user-limit (0 references)
> > > target prot opt source destination
> > > LOG all -- anywhere anywhere
> limit:
> > avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] '
> > > REJECT all -- anywhere anywhere
> > reject-with icmp-port-unreachable
> > >
> > > Chain ufw-user-limit-accept (0 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain ufw-user-logging-forward (0 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-user-logging-input (0 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-user-logging-output (0 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-user-output (1 references)
> > > target prot opt source destination
> > >
> > >
> >
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > openswan-right at ellis:~$ sudo ufw status
> > > Status: active
> > >
> > > To Action From
> > > -- ------ ----
> > > 22 ALLOW Anywhere
> > > 22022 ALLOW Anywhere
> > > 500/udp ALLOW Anywhere
> > > 4500/udp ALLOW Anywhere
> > >
> > >
> >
> ******************************************************************************************************************************
> > >
> > > LEFT HAND SIDE:
> > >
> > > openswan-left at ubuntuFW:~$ sudo ipsec verify
> > > Checking your system to see if IPsec got installed and started
> > correctly:
> > > Version check and ipsec on-path [OK]
> > > Linux Openswan U2.6.22/K2.6.31-14-server (netkey)
> > > Checking for IPsec support in kernel [OK]
> > > NETKEY detected, testing for disabled ICMP send_redirects
> > [FAILED]
> > >
> > > Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> > > or NETKEY will cause the sending of bogus ICMP redirects!
> > >
> > > NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> > > Checking for RSA private key (/etc/ipsec.secrets) [OK]
> > > Checking that pluto is running [OK]
> > > Two or more interfaces found, checking IP forwarding [OK]
> > > Checking NAT and MASQUERADEing
> > > Checking for 'ip' command [OK]
> > > Checking for 'iptables' command [OK]
> > > Opportunistic Encryption Support
> > [DISABLED]
> > >
> > >
> >
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >
> > > openswan-left at ubuntuFW:~$ sudo iptables -L
> > > Chain INPUT (policy DROP)
> > > target prot opt source destination
> > > AS0_ACCEPT all -- anywhere anywhere
> state
> > RELATED,ESTABLISHED
> > > AS0_ACCEPT all -- anywhere anywhere
> > > AS0_IN_PRE all -- anywhere anywhere mark
> > match 0x2000000/0x2000000
> > > AS0_ACCEPT tcp -- anywhere
> > adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW tcp dpt:915
> > > AS0_ACCEPT tcp -- anywhere
> > adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW tcp dpt:914
> > > AS0_ACCEPT udp -- anywhere
> > adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW udp dpt:917
> > > AS0_ACCEPT udp -- anywhere
> > adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW udp dpt:916
> > > AS0_WEBACCEPT all -- anywhere anywhere
> > state RELATED,ESTABLISHED
> > > AS0_WEBACCEPT tcp -- anywhere
> > adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW tcp dpt:943
> > > ufw-before-logging-input all -- anywhere anywhere
> >
> > > ufw-before-input all -- anywhere anywhere
> >
> > > ufw-after-input all -- anywhere anywhere
> > > ufw-after-logging-input all -- anywhere anywhere
> >
> > > ufw-reject-input all -- anywhere anywhere
> >
> > > ufw-track-input all -- anywhere anywhere
> > > ACCEPT esp -- anywhere anywhere
> > > ACCEPT ah -- anywhere anywhere
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:isakmp
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:4500
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target prot opt source destination
> > > AS0_ACCEPT all -- anywhere anywhere
> state
> > RELATED,ESTABLISHED
> > > AS0_IN_PRE all -- anywhere anywhere mark
> > match 0x2000000/0x2000000
> > > AS0_OUT_S2C all -- anywhere anywhere
> > > ufw-before-logging-forward all -- anywhere anywhere
> >
> > > ufw-before-forward all -- anywhere anywhere
> >
> > > ufw-after-forward all -- anywhere anywhere
> >
> > > ufw-after-logging-forward all -- anywhere anywhere
> >
> > > ufw-reject-forward all -- anywhere anywhere
> >
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > > AS0_OUT_LOCAL all -- anywhere anywhere
> > > ufw-before-logging-output all -- anywhere anywhere
> >
> > > ufw-before-output all -- anywhere anywhere
> >
> > > ufw-after-output all -- anywhere anywhere
> >
> > > ufw-after-logging-output all -- anywhere anywhere
> >
> > > ufw-reject-output all -- anywhere anywhere
> >
> > > ufw-track-output all -- anywhere anywhere
> >
> > >
> > > Chain AS0_ACCEPT (7 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain AS0_IN (7 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere 5.5.0.1
> > > ACCEPT all -- anywhere 5.5.12.1
> > > ACCEPT all -- anywhere 5.5.4.1
> > > ACCEPT all -- anywhere 5.5.8.1
> > > ACCEPT all -- anywhere 192.168.0.0/16
> > > ACCEPT all -- anywhere 10.0.0.0/8
> > > ACCEPT all -- anywhere 172.16.0.0/12
> > > AS0_IN_POST all -- anywhere anywhere
> > >
> > > Chain AS0_IN_POST (1 references)
> > > target prot opt source destination
> > > AS0_OUT all -- anywhere anywhere
> > > DROP all -- anywhere anywhere
> > >
> > > Chain AS0_IN_PRE (2 references)
> > > target prot opt source destination
> > > AS0_IN all -- anywhere 5.5.4.0/22
> > > AS0_IN all -- anywhere 5.5.0.0/22
> > > AS0_IN all -- anywhere 5.5.12.0/22
> > > AS0_IN all -- anywhere 5.5.8.0/22
> > > AS0_IN all -- anywhere 172.16.0.0/12
> > > AS0_IN all -- anywhere 192.168.0.0/16
> > > AS0_IN all -- anywhere 10.0.0.0/8
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain AS0_OUT (2 references)
> > > target prot opt source destination
> > > DROP all -- anywhere anywhere
> > >
> > > Chain AS0_OUT_LOCAL (1 references)
> > > target prot opt source destination
> > > DROP icmp -- anywhere anywhere icmp
> > redirect
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain AS0_OUT_S2C (1 references)
> > > target prot opt source destination
> > > AS0_OUT all -- anywhere anywhere
> > >
> > > Chain AS0_WEBACCEPT (2 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain ufw-after-forward (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-after-input (1 references)
> > > target prot opt source destination
> > > RETURN udp -- anywhere anywhere udp
> > dpt:netbios-ns
> > > RETURN udp -- anywhere anywhere udp
> > dpt:netbios-dgm
> > > RETURN tcp -- anywhere anywhere tcp
> > dpt:netbios-ssn
> > > RETURN tcp -- anywhere anywhere tcp
> > dpt:microsoft-ds
> > > RETURN udp -- anywhere anywhere udp
> > dpt:bootps
> > > RETURN udp -- anywhere anywhere udp
> > dpt:bootpc
> > > RETURN all -- anywhere anywhere
> > ADDRTYPE match dst-type BROADCAST
> > >
> > > Chain ufw-after-logging-forward (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-after-logging-input (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-after-logging-output (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-after-output (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-before-forward (1 references)
> > > target prot opt source destination
> > > ufw-user-forward all -- anywhere anywhere
> >
> > >
> > > Chain ufw-before-input (1 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABLISHED
> > > ufw-logging-deny all -- anywhere anywhere
> > state INVALID
> > > DROP all -- anywhere anywhere state
> > INVALID
> > > ACCEPT icmp -- anywhere anywhere icmp
> > destination-unreachable
> > > ACCEPT icmp -- anywhere anywhere icmp
> > source-quench
> > > ACCEPT icmp -- anywhere anywhere icmp
> > time-exceeded
> > > ACCEPT icmp -- anywhere anywhere icmp
> > parameter-problem
> > > ACCEPT icmp -- anywhere anywhere icmp
> > echo-request
> > > ACCEPT udp -- anywhere anywhere udp
> > spt:bootps dpt:bootpc
> > > ufw-not-local all -- anywhere anywhere
> > > ACCEPT all -- BASE-ADDRESS.MCAST.NET/4 anywhere
> > > ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4
> > > ufw-user-input all -- anywhere anywhere
> > >
> > > Chain ufw-before-logging-forward (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-before-logging-input (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-before-logging-output (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-before-output (1 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABLISHED
> > > ufw-user-output all -- anywhere anywhere
> > >
> > > Chain ufw-logging-allow (0 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-logging-deny (2 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-not-local (1 references)
> > > target prot opt source destination
> > > RETURN all -- anywhere anywhere
> > ADDRTYPE match dst-type LOCAL
> > > RETURN all -- anywhere anywhere
> > ADDRTYPE match dst-type MULTICAST
> > > RETURN all -- anywhere anywhere
> > ADDRTYPE match dst-type BROADCAST
> > > ufw-logging-deny all -- anywhere anywhere
> > limit: avg 3/min burst 10
> > > DROP all -- anywhere anywhere
> > >
> > > Chain ufw-reject-forward (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-reject-input (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-reject-output (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-track-input (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-track-output (1 references)
> > > target prot opt source destination
> > > ACCEPT tcp -- anywhere anywhere state
> > NEW
> > > ACCEPT udp -- anywhere anywhere state
> > NEW
> > >
> > > Chain ufw-user-forward (1 references)
> > > target prot opt source destination
> > >
> > > Chain ufw-user-input (1 references)
> > > target prot opt source destination
> > > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:ssh
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:ssh
> > > ACCEPT all -- 192.168.0.0/24 anywhere
> > > ACCEPT all -- 10.0.0.0/24 anywhere
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:isakmp
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:4500
> > > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:re-mail-ck
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:re-mail-ck
> > > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:1723
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:1723
> > > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:openvpn
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:openvpn
> > >
> > > Chain ufw-user-limit (0 references)
> > > target prot opt source destination
> > > LOG all -- anywhere anywhere
> limit:
> > avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] '
> > > REJECT all -- anywhere anywhere
> > reject-with icmp-port-unreachable
> > >
> > > Chain ufw-user-limit-accept (0 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > >
> > > Chain ufw-user-logging-forward (0 references)
> > > target prot opt source destination
> > > RETURN all -- anywhere anywhere
> > >
> > > Chain ufw-user-logging-input (0 references)
> > > target prot opt source destination
> > > RETURN all -- anywhere anywhere
> > >
> > > Chain ufw-user-logging-output (0 references)
> > > target prot opt source destination
> > > RETURN all -- anywhere anywhere
> > >
> > > Chain ufw-user-output (1 references)
> > > target prot opt source destination
> > >
> > >
> >
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > >
> > > openswan-left at ubuntuFW:~$ sudo ufw status
> > > Status: active
> > >
> > > To Action From
> > > -- ------ ----
> > > 22 ALLOW Anywhere
> > > Anywhere ALLOW 192.168.0.0/24
> > > Anywhere ALLOW 10.0.0.0/24
> > > 500/udp ALLOW Anywhere
> > > 4500/udp ALLOW Anywhere
> > > 50 ALLOW Anywhere
> > > 1723 ALLOW Anywhere
> > > 1194 ALLOW Anywhere
> > >
> > >
> > >
> > > thx,
> > > matt
> > > ----- "Randy Wyatt" <rwyatt at nvtl.com> wrote:
> > >
> > >> Have you run ipsec verify?
> > >>
> > >> Do you have forwarding enabled?
> > >>
> > >> What iptables rules are you using?
> > >>
> > >> Regards,
> > >> Randy
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: users-bounces at openswan.org on behalf of
> > matt.bazan at comcast.net
> > >> Sent: Wed 11/17/2010 9:14 PM
> > >> To: users at openswan.org
> > >> Subject: [Openswan Users] can ping from one side of tunnel but
> not
> > >> from theother
> > >>
> > >> Have a basic left hand side/ right hand side tunnel. i can ping
> > from
> > >> the right hand side LAN IP of firewall running openswan (not
> > behind
> > >> NAT device) to left hand side LAN IP of openswan server (again,
> > not
> > >> behind NAT device) but am unable to ping from left hand LAN to
> > right
> > >> hand LAN. using UFW for firewall setup and both sides have same
> > rule
> > >> sets. have verified ipsec.conf config. what could i be missing?
> > >> according to logs tunnel is up on both ends (ping wouldnt work
> > from
> > >> either side if this were the case, correct?) thx-
> > >>
> > >> -m
> > >> _______________________________________________
> > >> Users at openswan.org
> > >> http://lists.openswan.org/mailman/listinfo/users
> > >> Micropayments:
> > >> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > >> Building and Integrating Virtual Private Networks with Openswan:
> > >>
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > > _______________________________________________
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > > Micropayments:
> > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > Building and Integrating Virtual Private Networks with Openswan:
> > >
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list