[Openswan Users] Move to Inbox More 1 of 65 [openswan users] I have some problem about ping from pc1 to pc2 in vpn site2site tunnel mode.thanks
Nick Howitt
nick at howitts.co.uk
Mon Jun 20 11:25:08 EDT 2016
I would not SNAT traffic unless specifically required. Try:
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
Nick
On 20/06/2016 13:48, xue tao wrote:
> Hi,
> my network configurationis :
>
> private subnet 192.168.1.0/24 <http://192.168.1.0/24> private subnet
> 192.168.5.0/24 <http://192.168.5.0/24>
> PC1 ------ ONT1 <========IPSEC TUNNEL=========> ONT2
> ------- PC2
> 135.251.199.83 135.251.205.188
>
>
> i am setting up a ipsec tunnel on ONT1 and ONT2, and this tunnel seems
> had setup, on ONT1 i can saw:
>
> [root at AONT: admin]# ipsec --version
> Linux Openswan U2.6.38/K3.4.11-rt19 (netkey)
>
> [root at AONT: admin]# ipsec setup status
> IPsec running - pluto pid: 6676
> pluto pid 6676
> 1 tunnels up
> some eroutes exist
>
> [root at AONT: admin]# ip xfrm policy
> src 192.168.1.0/24 <http://192.168.1.0/24> dst 192.168.5.0/24
> <http://192.168.5.0/24> proto udp sport 1701 dport 1701
> dir out priority 2344
> tmpl src 135.251.199.83 dst 135.251.205.188
> proto esp reqid 16385 mode tunnel
> src 192.168.5.0/24 <http://192.168.5.0/24> dst 192.168.1.0/24
> <http://192.168.1.0/24> proto udp sport 1701 dport 1701
> dir fwd priority 2344
> tmpl src 135.251.205.188 dst 135.251.199.83
> proto esp reqid 16385 mode tunnel
> src 192.168.5.0/24 <http://192.168.5.0/24> dst 192.168.1.0/24
> <http://192.168.1.0/24> proto udp sport 1701 dport 1701
> dir in priority 2344
> tmpl src 135.251.205.188 dst 135.251.199.83
> proto esp reqid 16385 mode tunnel
> src ::/0 dst ::/0
> socket out priority 0
>
> and here is my ipsec.conf
> version 2.0 # conforms to second version of ipsec.conf specification
> config setup
> nat_traversal=yes
> oe=off
> protostack=netkey
> plutostderrlog=/tmp/vpnerr.log
> plutoopts="--interface=eth4"
> conn L2TP-PSK
> authby=secret
> pfs=no
> auto=add
> keyingtries=3
> dpddelay=30
> dpdtimeout=120
> dpdaction=Restart
> rekey=yes
> ikelifetime=8h
> keylife=1h
> type=tunnel
> left=135.251.199.83
> leftnexthop=%defaultroute
> leftprotoport=17/1701
> leftsubnet=192.168.1.0/24 <http://192.168.1.0/24>
> right=135.251.205.188
> rightprotoport=17/1701
> rightsubnet=192.168.5.0/24 <http://192.168.5.0/24>
>
> Then I can not access to 192.168.5.x, and i follow some documents from
> internet adding iptables likes:
> iptables -t nat -A POSTROUTING -s site-A-private-subnet -d
> site-B-private-subnet -j SNAT --to site-A-Public-IP
>
> but it does not works. when i add route from my workmates:
> route add -net 192.168.5.0/24 <http://192.168.5.0/24> ppp0
> I can ping 192.168.5.x ,but the tcpdump data on ONT2 was not ESP, only
> ICMP packets. So this is not the correct ways.
>
> Should I add other iptables or route to allow PC1 ping PC2?
> Any assistance will be greatly appreciated!
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list