[Openswan Users] IPsec-Setup

Thomas Schweikle tps at vr-web.de
Wed Apr 13 05:00:49 EDT 2011


Am 13.04.2011 10:52, schrieb Marcus Carlson:
> Hi,
> 
> How about iptables -t nat -L? Do you have an ACCEPT rule for the net
> before the MASQ/SNAT rule?

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

I mostly use "iptables-save", because it shows all eventualy created
rules, but it's harder to read:
# iptables-save
# Generated by iptables-save v1.4.10 on Wed Apr 13 11:00:10 2011
*mangle
:PREROUTING ACCEPT [452188:72922624]
:INPUT ACCEPT [451992:72904368]
:FORWARD ACCEPT [169:14800]
:OUTPUT ACCEPT [715773:517393530]
:POSTROUTING ACCEPT [715942:517408330]
COMMIT
# Completed on Wed Apr 13 11:00:10 2011
# Generated by iptables-save v1.4.10 on Wed Apr 13 11:00:10 2011
*nat
:PREROUTING ACCEPT [12153:1041665]
:INPUT ACCEPT [12025:1030941]
:OUTPUT ACCEPT [28565:1998693]
:POSTROUTING ACCEPT [28666:2005961]
COMMIT
# Completed on Wed Apr 13 11:00:10 2011
# Generated by iptables-save v1.4.10 on Wed Apr 13 11:00:10 2011
*filter
:INPUT ACCEPT [452001:72904836]
:FORWARD ACCEPT [169:14800]
:OUTPUT ACCEPT [715775:517394610]
COMMIT
# Completed on Wed Apr 13 11:00:10 2011


> Best regards,
> Marcus
> 
> 2011-04-13 10:27, Thomas Schweikle skrev:
>> Am 12.04.2011 23:58, schrieb Willie Gillespie:
>>> At this point, let's check two things then:
>>> First: cat /proc/sys/net/ipv4/ip_forward
>>> It should be 1... and probably is.
>> # cat /proc/sys/net/ipv4/ip_forward
>> 1
>>
>>> Second: iptables -L
>> # iptables -L
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>>
>> I've listed only one machine, because the other one is identical
>> (and not reachable at the moment).
>>
>> This was one point I checked again and again. But without success.
>> At no point in time this had changed:
>> - no firewall rules, firewall inactive
>> - forwarding active
>>
>> But:
>> - connection between the two gateways
>> - no connection between the two networks
>> - no connection between gateway and the remote network
>>
>> entering additional routes for single hosts, or network did not help
>> either. I could never make the whole thing route incoming packets to
>> the default router or any host except the gateway himself.
>>
>>
>>> -----Original Message-----
>>> From: "Thomas Schweikle" <tps at vr-web.de>
>>> Sent: Tuesday, April 12, 2011 3:01pm
>>> To: users at lists.openswan.org
>>> Subject: Re: [Openswan Users] IPsec-Setup
>>>
>>> That is what I've read. Adding (left|right)sourceip= again made the
>>> connection gateway/gateway work, but not any of the other hosts are
>>> reachable. I could connect two hosts, but not two networks.
>>> Removing the gateway/network network/gateway and gateway/gateway
>>> configs doesn't change anything: I can ping from gateway to gateway,
>>> but not from network to gateway or network to network.
>>>
>>
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 


-- 
Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 219 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20110413/650710f7/attachment-0001.bin 


More information about the Users mailing list