[Openswan Users] Tunnel is up but private network is unreachable
Mitsue A Murakami
mitsue at webcenter.com.br
Tue Jul 21 10:30:54 EDT 2015
Hi guys. Thanks for you replies.
On 21-07-2015 09:50, Damian McHugh wrote:
> I would specify allowed networks as follows:
> virtual_private=%v4:192.168.13.0/24,%v4:192.168.4.0/24 (note I've removed
> the ! ).
Unfortunately, it did not work.
On 21-07-2015 10:09, Nick Howitt wrote:
> Isn't virtual_private only used when IPsec is natted and supplying an
> IP address to something like a roadwarrior?
No. The topology is:
site A (private subnet)-> debian fw -> Internet -> Cisco Router -> site
B (private subnet)
Site A private subnet is 192.168.4.0/24
Site B private subnet is 192.168.13.0/24
> I'd have a look at firewalling, either for an explicit rule for the
> remote subnet or for a rule for packets with the policy ipsec. I can't
> remember the details, but I think it is a PREROUTING rule in the nat
> chain which is needed.
These are the firewall rules :
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -d 192.168.13.0/24 -j
SNAT --to (debian fw public IP)
I forgot to mention that traceroute shows that traffic is going to the
Internet, not through the tunnel.
More information about the Users