[Openswan Users] Tunnel Established; Communication only in one direction
Trev Lerks
knicks1208 at yahoo.com
Sat Sep 10 08:39:50 EDT 2011
Hello Users and I immediately apologize if this has been sent to the wrong distribution list -
Currently I have a tunnel up from OpenSwan to an ASA using Nat-T.
Host A (172.20.1.15) --> OpenSwan --> Internet <-- ASA <-- Host B (192.168.1.2)
What is working:Ping/RDP from Host B to Host APing from OpenSwan to Host B
What isn't working:Ping/RDP from Host A to Host B
I seem to be struggling with the iptables setup on the OpenSwan Server, however this is my current setup:
Table: mangleChain PREROUTING (policy ACCEPT)num target prot opt source destination
Chain INPUT (policy ACCEPT)num target prot opt source destination
Chain FORWARD (policy ACCEPT)num target prot opt source destination1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)num target prot opt source destination
Table: filterChain INPUT (policy ACCEPT)num target prot opt source destination1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:5002 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:50 dpt:503 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)num target prot opt source destination
Chain OUTPUT (policy ACCEPT)num target prot opt source destination1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:5002 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:50 dpt:503 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
Table: natChain PREROUTING (policy ACCEPT)num target prot opt source destination
Chain OUTPUT (policy ACCEPT)num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)num target prot opt source destination1 MASQUERADE all -- 0.0.0.0/0 !192.168.1.0/24
And my ipsec.conf:
config setup nat_traversal=yes virtual_private=%v4:192.168.1.0/24,%v4:!172.20.1.0/24 oe=off protostack=netkeyconn os-to-cisco connaddrfamily=ipv4 type=tunnel authby=secret esp=3DES-SHA1 ike=3des-sha1 forceencaps=yes pfs=yes compress=no left=%defaultroute leftid=x.x.x.x leftsubnet=172.20.1.0/24 leftnexthop=%defaultroute right=x.x.x.x rightsubnet=192.168.1.0/24 rightnexthop=%defaultroute auto=add
At this point, I'm not sure if it's a routing issue or a firewall issue. When I attempt to ping from Host A to Host B and perform a tcpdump icmp on the OpenSwan server, I don't see any traffic coming from Host A (however I'm not sure if I should). I have setup a static route on Host A pointing all traffic destined to 192.168.1.0 to the OpenSwan server. I've been working at this for 2 days now, have read countless forums and OpenSwan documentation, and am about out of ideas. Any assistance is much appreciated!!!
Thank you!
Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110910/190fe4bc/attachment-0001.html
More information about the Users
mailing list