[Openswan Users] problem with openswan

Alejandro Perretta alejandro at geopagos.com
Mon Nov 17 08:25:14 EST 2014 

thanks the problem was the postrouting i must do src nat the source with

-A POSTROUTING -d 148.171xxx.xx/32 -j SNAT --to-source 54.86.xxx.xxx so the
10.x will we traslated to 54.86


2014-11-17 10:22 GMT-03:00 Nick Howitt <nick at howitts.co.uk>:

> Alejandro,
>
> Routing is set up through the use of left/rightsubnet(s) and not iptables
> or "ip route"
>
> You will need to have the subnet on which 10.0.0.1.37 is located as one of
> your left/rightsubnets. Don't subnets have to be between { and }, not ""?
>
> Nick
>
>
>
>
> On 2014-11-17 12:57, Alejandro Perretta wrote:
>
>> Hi i have this ipsec.conf
>>
>> conn test1
>>         left=10.0.1.196
>> #     esp=aes256-sha1!
>>     phase2alg=aes128
>>         leftid=54.86.xxx.xx
>>         leftsourceip=54.86.34.213
>>         leftsubnets="54.86.34.xxx/32 54.86.xx.54/32"
>>         right=12.10.219.57
>>         rightsubnets="148.171.xxx.0/22 148.171.xxx.0/22"
>>         authby=secret
>>        ike=aes-128
>>     ikelifetime=86400s
>>         pfs=yes
>>     auto=start
>>
>> the telnet from the vpn server to test one host on 148.171.221.92 and
>> works fine. but if i send a telnet from 10.0.0.1.37 ( one host on my
>> private network) cant connect the service.
>>
>> My iptables
>>
>> filter
>> :INPUT ACCEPT [362601:2929633039]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [311889:27000502]
>> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -s 10.6.0.0/24 [1] -j ACCEPT
>> -A FORWARD -s 10.128.88.0/24 [2] -j ACCEPT
>> -A FORWARD -s 148.xxx.xxx.xxx -j ACCEPT
>> -A FORWARD -s 54.86.xxx.xxx -j ACCEPT
>> -A FORWARD -s 10.0.1.0/24 [3] -j ACCEPT
>> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
>> COMMIT
>> # Completed on Fri Nov 14 21:43:05 2014
>> # Generated by iptables-save v1.4.21 on Fri Nov 14 21:43:05 2014
>> *nat
>> :PREROUTING ACCEPT [4:642]
>> :INPUT ACCEPT [0:0]
>> :OUTPUT ACCEPT [11:765]
>> :POSTROUTING ACCEPT [11:765]
>> #-A PREROUTING  -d 54.86.xxx.xxx/32 -j DNAT --to-destination
>> 10.0.1.217
>> #-A POSTROUTING -s 10.0.1.217   -j MASQUERADE
>>
>> COMMIT
>> # Completed on Fri Nov 14 21:43:05 2014
>>
>> --
>>
>> Alejandro Perretta
>> Geopagos
>>
>>
>> Links:
>> ------
>> [1] http://10.6.0.0/24
>> [2] http://10.128.88.0/24
>> [3] http://10.0.1.0/24
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>


-- 
Alejandro Perretta
Geopagos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141117/f5e70d58/attachment.html>

More information about the Users mailing list