[Openswan Users] Connecting to other machines in subnet

Thu Feb 14 10:16:34 EST 2013

[SOLVED]  For the record, the machine C is was trying to connect to
directly had a persistent route set up for when I had hardware VPN. 
Once I deleted that persistent route and added one directing to VPN
server, it all worked.

Thank you all for assistence.

> 67.41.5.45 -  - 106.186.20
> 67.41.5
> 
> > On 02/11/2013 05:59 PM, Durwin wrote:
> > > Here is my config.  My right and left are opposite of yours but it looks
> > > the same other wise.
> > >
> > > conn siteB
> > >      left=%defaultroute
> > >      leftsubnet=192.168.4.0/24
> > >      leftsourceip=192.168.4.100
> > >      right=public ip of hardware vpn
> > >      rightsubnet=172.23.93.0/24
> > >      type=tunnel
> > >      authby=secret
> > >      keyexchange=ike
> > >      auto=start
> > >      pfs=yes
> > >      ike=3des-sha1-modp1024
> > >      esp=3des-sha1
> > >
> > > I configured machine C to use machine B as gateway.  I confirmed
> > > forwarding is on (server B).  But I can't connect to machine C from site
> > > A.  What else am I missing?
> > 
> > Okay, with that let's look at Daniel Cave's suggestion now.  What iptables rules do you have on server B?  Anything that might be blocking it from forwarding?
> > iptables -L -n -t nat
> > iptables -L -n -t filter
> 
> I wasn't running iptables at the time.  I have since found some rules
> witch allow vpn to work.  So here is the outp[ut from those 2 commands.
> 
> F17> iptables -L -n -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3128
> DNAT       tcp  -- !172.23.93.7          0.0.0.0/0            tcp dpt:80 to:172.23.93.7:3128
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0
> SNAT       all  --  172.23.93.0/24       172.23.93.7          to:172.23.93.1
> 
> 
> 03:24 AM root at bayou ~
> F17> iptables -L -n -t filter
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  172.23.93.0/24       0.0.0.0/0
> ACCEPT     all  --  192.168.4.0/24       0.0.0.0/0
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53 dpts:1024:65535
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:445
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp spts:6881:6999
>            icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 0
> RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     tcp  --  172.23.93.0/24       172.23.93.7          tcp dpt:3128
> RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spts:1024:65535 dpt:53
> ACCEPT     tcp  --  0.0.0.0/0            216.184.2.128        state NEW tcp dpt:110
> ACCEPT     tcp  --  0.0.0.0/0            216.184.2.128        state NEW tcp dpt:25
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp spts:1024:65535 dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp spts:1024:65535 dpt:443
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpts:6881:6999
>            icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
> 
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:500
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:4500
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:4500
> ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp dpt:5353
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:631
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:631
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:25
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:6277 dpts:1024:65535
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:24441 dpts:1024:65535
> ACCEPT     tcp  --  172.23.93.0/24       192.168.4.49         state NEW tcp dpt:1022
> ACCEPT     tcp  --  216.184.2.122        0.0.0.0/0            state NEW tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10080
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Durwin F. De La Rue <thecajun at nmia.com>
-- 
reality.sys corrupted. universe halted. reboot (y/n)?