[Openswan Users] CentOS5 + Draytek 2820 pings only one way

Nick Howitt n1ck.h0w1tt at gmail.com
Fri Feb 15 13:32:43 EST 2013 

The iptables rule is something like:

iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT

I don't know CentOS so I don't know what a masq script is. In ClearOS 
there is a local firewall script available.

FWIW I actually have the DrayTek call my server because we both have 
semi-dynamic IP's (mine did not change for 3 years) and in this scenario 
it may be easier this way round. I have a watching script at my end 
which can determine IP changes and it works better in the dial in case.

Regards,

Nick

On 15/02/2013 17:25, John Crisp wrote:
> Hi Nick,
>
> On 15/02/13 17:45, Nick Howitt wrote:
>> In my firewall, supplied by ClearOS I have an extra rule in the nat
>> table which translates to:
>>
>> Chain POSTROUTING (policy ACCEPT 13046 packets, 2505K bytes)
>>   pkts bytes target     prot opt in     out source               destination
>>      0     0 ACCEPT     all  --  *      * 0.0.0.0/0
>> 0.0.0.0/0           policy match dir out pol ipsec
>>
> Can you tell me where about does this goes in your masq script ?
>
>> You should not need to do anything with protocol 51 as it is not used
>> with esp.
>>
> OK - I can remove that
>
>
>> I am not sure iptables is the issue. In the 2820 LAN-LAN profile is
>> "From first subnet to remote network, you have to do" set to Route or
>> NAT. It should be set to Route.
>>
> It is set to route. I have 4 of these with their own VPNs to each other.
> The VPS is the 'odd one out'.
>
> It is odd that the Draytek seems to know where to send packets. It's the
> VPS server that has the struggle !
>
>
>> Answering other points, your leftsourceip looks OK. Because it is
>> specified you do not need to set a source IP when pinging. It will
>> happen anyway. Pings from CentOS will appear from leftsourceip rather
>> than L.C.98.24.
>>
>> BTW, in your config you have a lot of redundant stuff. I would get rid of:
>> %myid
>> leftid
>> rightid
>> rightsourceip
>> nat_traversal
>> compress
>> connaddrfamily
>> ike
>> phase2alg
>> phase2
>> keyexchange
>> keyingtries
>>
>> ike and phase2alg will be negotiated to whatever you have set in the
>> 2820 (and I'd suggest, unless your CentOS Processor is anaemic, you use
>> aes256,sha1,group14 and you also enable pfs in the advanced settings).
>> The other settings are default or unnecessary. Unless you have changed
>> the defaults in the 2820 you also have a mismatch of keylife and
>> ikelifetime - they need to be reversed.
>>
> Thanks for all that info - I shall clean it up accordingly and up the
> encryption level. I managed to find one page that had some settings to
> connect to a Draytek and I started from there.
>
> Currently I have the Draytek dialling and connecting to the server. I
> presume this is easier than the opposite way round ?
>
> Thanks for the help !
>
> B. Rgds
> John
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list