[Openswan Users] problem with openswan
Nick Howitt
nick at howitts.co.uk
Mon Nov 17 08:42:37 EST 2014
Curious. Is there a reason why you don't just go from and to private
subnets rather than natting to public IPs? Correct me if I'm wrong but I
did not think SNAT would give you a 1:1 map or reproducible map from
private to public IP.
Nick
On 2014-11-17 13:25, Alejandro Perretta wrote:
> thanks the problem was the postrouting i must do src nat the source
> with
>
> -A POSTROUTING -d 148.171xxx.xx/32 -j SNAT --to-source 54.86.xxx.xxx
> so the 10.x will we traslated to 54.86
>
> 2014-11-17 10:22 GMT-03:00 Nick Howitt <nick at howitts.co.uk>:
>
>> Alejandro,
>>
>> Routing is set up through the use of left/rightsubnet(s) and not
>> iptables or "ip route"
>>
>> You will need to have the subnet on which 10.0.0.1.37 is located as
>> one of your left/rightsubnets. Don't subnets have to be between {
>> and }, not ""?
>>
>> Nick
>>
>> On 2014-11-17 12:57, Alejandro Perretta wrote:
>>
>>> Hi i have this ipsec.conf
>>>
>>> conn test1
>>> left=10.0.1.196
>>> # esp=aes256-sha1!
>>> phase2alg=aes128
>>> leftid=54.86.xxx.xx
>>> leftsourceip=54.86.34.213
>>> leftsubnets="54.86.34.xxx/32 54.86.xx.54/32"
>>> right=12.10.219.57
>>> rightsubnets="148.171.xxx.0/22 148.171.xxx.0/22"
>>> authby=secret
>>> ike=aes-128
>>> ikelifetime=86400s
>>> pfs=yes
>>> auto=start
>>>
>>> the telnet from the vpn server to test one host on 148.171.221.92
>>> and
>>> works fine. but if i send a telnet from 10.0.0.1.37 ( one host on
>>> my
>>> private network) cant connect the service.
>>>
>>> My iptables
>>>
>>> filter
>>> :INPUT ACCEPT [362601:2929633039]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [311889:27000502]
>>> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> -A FORWARD -s 10.6.0.0/24 [1] [1] -j ACCEPT
>>> -A FORWARD -s 10.128.88.0/24 [2] [2] -j ACCEPT
>>> -A FORWARD -s 148.xxx.xxx.xxx -j ACCEPT
>>> -A FORWARD -s 54.86.xxx.xxx -j ACCEPT
>>> -A FORWARD -s 10.0.1.0/24 [3] [3] -j ACCEPT
>>> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
>>> COMMIT
>>> # Completed on Fri Nov 14 21:43:05 2014
>>> # Generated by iptables-save v1.4.21 on Fri Nov 14 21:43:05 2014
>>> *nat
>>> :PREROUTING ACCEPT [4:642]
>>> :INPUT ACCEPT [0:0]
>>> :OUTPUT ACCEPT [11:765]
>>> :POSTROUTING ACCEPT [11:765]
>>> #-A PREROUTING -d 54.86.xxx.xxx/32 -j DNAT --to-destination
>>> 10.0.1.217
>>> #-A POSTROUTING -s 10.0.1.217 -j MASQUERADE
>>>
>>> COMMIT
>>> # Completed on Fri Nov 14 21:43:05 2014
>>>
>>> --
>>>
>>> Alejandro Perretta
>>> Geopagos
>>>
>>> Links:
>>> ------
>>> [1] http://10.6.0.0/24 [1]
>>> [2] http://10.128.88.0/24 [2]
>>> [3] http://10.0.1.0/24 [3]
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/ [4]mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/
>>> [5]38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/
>>> [6]product/1904811256/104-3099591-2946327?n=283155
>
> --
>
> Alejandro Perretta
> Geopagos
>
>
> Links:
> ------
> [1] http://10.6.0.0/24
> [2] http://10.128.88.0/24
> [3] http://10.0.1.0/24
> [4] https://lists.openswan.org/
> [5] https://flattr.com/thing/
> [6] http://www.amazon.com/gp/
More information about the Users
mailing list