[Openswan Users] CentOS5 + Draytek 2820 pings only one way

Nick Howitt n1ck.h0w1tt at gmail.com
Fri Feb 15 13:32:43 EST 2013

The iptables rule is something like:

iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT

I don't know CentOS so I don't know what a masq script is. In ClearOS 
there is a local firewall script available.

FWIW I actually have the DrayTek call my server because we both have 
semi-dynamic IP's (mine did not change for 3 years) and in this scenario 
it may be easier this way round. I have a watching script at my end 
which can determine IP changes and it works better in the dial in case.



On 15/02/2013 17:25, John Crisp wrote:
> Hi Nick,
> On 15/02/13 17:45, Nick Howitt wrote:
>> In my firewall, supplied by ClearOS I have an extra rule in the nat
>> table which translates to:
>> Chain POSTROUTING (policy ACCEPT 13046 packets, 2505K bytes)
>>   pkts bytes target     prot opt in     out source               destination
>>      0     0 ACCEPT     all  --  *      *
>>           policy match dir out pol ipsec
> Can you tell me where about does this goes in your masq script ?
>> You should not need to do anything with protocol 51 as it is not used
>> with esp.
> OK - I can remove that
>> I am not sure iptables is the issue. In the 2820 LAN-LAN profile is
>> "From first subnet to remote network, you have to do" set to Route or
>> NAT. It should be set to Route.
> It is set to route. I have 4 of these with their own VPNs to each other.
> The VPS is the 'odd one out'.
> It is odd that the Draytek seems to know where to send packets. It's the
> VPS server that has the struggle !
>> Answering other points, your leftsourceip looks OK. Because it is
>> specified you do not need to set a source IP when pinging. It will
>> happen anyway. Pings from CentOS will appear from leftsourceip rather
>> than L.C.98.24.
>> BTW, in your config you have a lot of redundant stuff. I would get rid of:
>> %myid
>> leftid
>> rightid
>> rightsourceip
>> nat_traversal
>> compress
>> connaddrfamily
>> ike
>> phase2alg
>> phase2
>> keyexchange
>> keyingtries
>> ike and phase2alg will be negotiated to whatever you have set in the
>> 2820 (and I'd suggest, unless your CentOS Processor is anaemic, you use
>> aes256,sha1,group14 and you also enable pfs in the advanced settings).
>> The other settings are default or unnecessary. Unless you have changed
>> the defaults in the 2820 you also have a mismatch of keylife and
>> ikelifetime - they need to be reversed.
> Thanks for all that info - I shall clean it up accordingly and up the
> encryption level. I managed to find one page that had some settings to
> connect to a Draytek and I started from there.
> Currently I have the Draytek dialling and connecting to the server. I
> presume this is easier than the opposite way round ?
> Thanks for the help !
> B. Rgds
> John
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list