[Openswan Users] Tunnel is up but private network is unreachable
nick at howitts.co.uk
Tue Jul 21 11:00:21 EDT 2015
I'll check the rules when I'm home later but I don't see why you are
SNATing to a public IP. I'd have thought you'd do "-j ACCEPT" but I
On 2015-07-21 15:30, Mitsue A Murakami wrote:
> Hi guys. Thanks for you replies.
> On 21-07-2015 09:50, Damian McHugh wrote:
>> I would specify allowed networks as follows:
>> virtual_private=%v4:192.168.13.0/24,%v4:192.168.4.0/24 (note I've
>> the ! ).
> Unfortunately, it did not work.
> On 21-07-2015 10:09, Nick Howitt wrote:
>> Isn't virtual_private only used when IPsec is natted and supplying an
>> IP address to something like a roadwarrior?
> No. The topology is:
> site A (private subnet)-> debian fw -> Internet -> Cisco Router ->
> site B (private subnet)
> Site A private subnet is 192.168.4.0/24
> Site B private subnet is 192.168.13.0/24
>> I'd have a look at firewalling, either for an explicit rule for the
>> remote subnet or for a rule for packets with the policy ipsec. I can't
>> remember the details, but I think it is a PREROUTING rule in the nat
>> chain which is needed.
> These are the firewall rules :
> iptables -A INPUT -p udp --dport 500 -j ACCEPT
> iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
> iptables -A INPUT -p udp --dport 4500 -j ACCEPT
> iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -d 192.168.13.0/24 -j
> SNAT --to (debian fw public IP)
> I forgot to mention that traceroute shows that traffic is going to
> the Internet, not through the tunnel.
> Users at lists.openswan.org
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users