[Openswan Users] problem with openswan

Nick Howitt nick at howitts.co.uk
Mon Nov 17 08:22:46 EST 2014 

Alejandro,

Routing is set up through the use of left/rightsubnet(s) and not 
iptables or "ip route"

You will need to have the subnet on which 10.0.0.1.37 is located as one 
of your left/rightsubnets. Don't subnets have to be between { and }, not 
""?

Nick



On 2014-11-17 12:57, Alejandro Perretta wrote:
> Hi i have this ipsec.conf
> 
> conn test1
>         left=10.0.1.196
> #     esp=aes256-sha1!
>     phase2alg=aes128
>         leftid=54.86.xxx.xx
>         leftsourceip=54.86.34.213
>         leftsubnets="54.86.34.xxx/32 54.86.xx.54/32"
>         right=12.10.219.57
>         rightsubnets="148.171.xxx.0/22 148.171.xxx.0/22"
>         authby=secret
>        ike=aes-128
>     ikelifetime=86400s
>         pfs=yes
>     auto=start
> 
> the telnet from the vpn server to test one host on 148.171.221.92 and
> works fine. but if i send a telnet from 10.0.0.1.37 ( one host on my
> private network) cant connect the service.
> 
> My iptables
> 
> filter
> :INPUT ACCEPT [362601:2929633039]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [311889:27000502]
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 10.6.0.0/24 [1] -j ACCEPT
> -A FORWARD -s 10.128.88.0/24 [2] -j ACCEPT
> -A FORWARD -s 148.xxx.xxx.xxx -j ACCEPT
> -A FORWARD -s 54.86.xxx.xxx -j ACCEPT
> -A FORWARD -s 10.0.1.0/24 [3] -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
> COMMIT
> # Completed on Fri Nov 14 21:43:05 2014
> # Generated by iptables-save v1.4.21 on Fri Nov 14 21:43:05 2014
> *nat
> :PREROUTING ACCEPT [4:642]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [11:765]
> :POSTROUTING ACCEPT [11:765]
> #-A PREROUTING  -d 54.86.xxx.xxx/32 -j DNAT --to-destination
> 10.0.1.217
> #-A POSTROUTING -s 10.0.1.217   -j MASQUERADE
> 
> COMMIT
> # Completed on Fri Nov 14 21:43:05 2014
> 
> --
> 
> Alejandro Perretta
> Geopagos
> 
> 
> Links:
> ------
> [1] http://10.6.0.0/24
> [2] http://10.128.88.0/24
> [3] http://10.0.1.0/24
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list