[Openswan Users] IPsec-Setup
Thomas Schweikle
tps at vr-web.de
Wed Apr 13 05:00:49 EDT 2011
Am 13.04.2011 10:52, schrieb Marcus Carlson:
> Hi,
>
> How about iptables -t nat -L? Do you have an ACCEPT rule for the net
> before the MASQ/SNAT rule?
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
I mostly use "iptables-save", because it shows all eventualy created
rules, but it's harder to read:
# iptables-save
# Generated by iptables-save v1.4.10 on Wed Apr 13 11:00:10 2011
*mangle
:PREROUTING ACCEPT [452188:72922624]
:INPUT ACCEPT [451992:72904368]
:FORWARD ACCEPT [169:14800]
:OUTPUT ACCEPT [715773:517393530]
:POSTROUTING ACCEPT [715942:517408330]
COMMIT
# Completed on Wed Apr 13 11:00:10 2011
# Generated by iptables-save v1.4.10 on Wed Apr 13 11:00:10 2011
*nat
:PREROUTING ACCEPT [12153:1041665]
:INPUT ACCEPT [12025:1030941]
:OUTPUT ACCEPT [28565:1998693]
:POSTROUTING ACCEPT [28666:2005961]
COMMIT
# Completed on Wed Apr 13 11:00:10 2011
# Generated by iptables-save v1.4.10 on Wed Apr 13 11:00:10 2011
*filter
:INPUT ACCEPT [452001:72904836]
:FORWARD ACCEPT [169:14800]
:OUTPUT ACCEPT [715775:517394610]
COMMIT
# Completed on Wed Apr 13 11:00:10 2011
> Best regards,
> Marcus
>
> 2011-04-13 10:27, Thomas Schweikle skrev:
>> Am 12.04.2011 23:58, schrieb Willie Gillespie:
>>> At this point, let's check two things then:
>>> First: cat /proc/sys/net/ipv4/ip_forward
>>> It should be 1... and probably is.
>> # cat /proc/sys/net/ipv4/ip_forward
>> 1
>>
>>> Second: iptables -L
>> # iptables -L
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>>
>> I've listed only one machine, because the other one is identical
>> (and not reachable at the moment).
>>
>> This was one point I checked again and again. But without success.
>> At no point in time this had changed:
>> - no firewall rules, firewall inactive
>> - forwarding active
>>
>> But:
>> - connection between the two gateways
>> - no connection between the two networks
>> - no connection between gateway and the remote network
>>
>> entering additional routes for single hosts, or network did not help
>> either. I could never make the whole thing route incoming packets to
>> the default router or any host except the gateway himself.
>>
>>
>>> -----Original Message-----
>>> From: "Thomas Schweikle" <tps at vr-web.de>
>>> Sent: Tuesday, April 12, 2011 3:01pm
>>> To: users at lists.openswan.org
>>> Subject: Re: [Openswan Users] IPsec-Setup
>>>
>>> That is what I've read. Adding (left|right)sourceip= again made the
>>> connection gateway/gateway work, but not any of the other hosts are
>>> reachable. I could connect two hosts, but not two networks.
>>> Removing the gateway/network network/gateway and gateway/gateway
>>> configs doesn't change anything: I can ping from gateway to gateway,
>>> but not from network to gateway or network to network.
>>>
>>
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 219 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20110413/650710f7/attachment-0001.bin
More information about the Users
mailing list