[Openswan Users] iptables rules, tunnel up network unreachable

Mitsue A Murakami mitsue at webcenter.com.br
Wed Jul 22 07:27:06 EDT 2015


Hi Björn,

You are totally right.

It is working now. Actually, the problem was caused by the SNAT rule. It 
was very silly of me to insert this rule.


Thank you very much for your help.


--
Mitsue

On 22-07-2015 06:21, Mittelsdorf, Björn wrote:
> Hi all,
>
> if I am not mistaken the SNAT rule is wrong.
>
> You must not SNAT the left network traffic to the public ip because only pakets originating from the private network enter the tunnel.
> In my cases I use a route (ip route ...) on the private network machines to reach the left tunnel end point. As soon as they reach the tunnel endpoint they are detected by IPsec and automatically pushed through the tunnel.
>
> Short version: Delete the last iptables rule :-)
>
> Best regards
>
> Bjoern
>
>
>> iptables -A INPUT -p udp --dport 500 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
>> iptables -A INPUT -p udp --dport 4500 -j ACCEPT
>>
>>
>> iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -d 192.168.13.0/24 -j
>> SNAT --to  (debian fw public IP)
>>
>> I forgot to mention that traceroute  shows that traffic is going to the
>> Internet, not through the tunnel.
>>
>>
>>
>> Regards,
>>
>>
>> --
>> Mitsue
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>>
>>
>> End of Users Digest, Vol 135, Issue 7
>> *************************************
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>



More information about the Users mailing list