[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: [Openswan Users] gateway to gateway problem
From: Pixelib Team <service () pixelib ! com>
Date: 2005-05-27 15:22:32
Message-ID: 42973B38.BFE8F18F () pixelib ! com
[Download RAW message or body]
Dear user,
I have been set up freeswan successfully for road warriors since last
year, and unfortunately I was getting failed to setup gateway to gateway
vpn connection right now.
Indeed IPSec got established, but it didn't seem to work for packets
going between subnets. Why the packets cannot across both of these
subnets 192.168.10.0 and 192.168.5.0?
/etc/ipsec.conf
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
strictcrlpolicy=yes
nat_traversal=yes
conn %default
type=tunnel
authby=rsasig
leftcertÎrts/freeswan.der
leftrsasigkey=%cert
leftprotoport�/1701
right=%any
rightsubnet=vhost:%no,%priv
rightrsasigkey=%cert
rightprotoport�/1701
keyingtries=3
autod
pfs=no
rekeymargin m
rekeyfuzz%%
keylife0m
ikelifetime0m
disablearrivalcheck=no
compress=yes
conn L5
lefta.10.XXX.YYY
leftnexthopa.10.102.1
leftsubnet�2.168.10.0/24
leftida.10.XXX.YYY
leftcertÎrts/wahj.crt
righta.10.AAA.BBB
rightnexthopa.10.64.1
rightsubnet�2.168.15.0/24
rightida.10.AAA.BBB
rightcertÎrts/hwwong.crt
/etc/init.d/iptables
iptables -F
iptables -F -t nat
# This makes sure that IP forwarding is turned on for networking.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Disable IP spoofing protection to allow IPSEC to work properly
echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-d $IPSECSG --destination-port 500 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPSECSG --source-port 500 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-d $IPSECSG --destination-port 4500 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPSECSG --source-port 4500 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p 50 \
-d $IPSECSG -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p 50 \
-s $IPSECSG -j ACCEPT
# Allow all traffic to FreeS/WAN Virtual Interface
iptables -A INPUT -i $FREESWANVI -j ACCEPT
iptables -A OUTPUT -o $FREESWANVI -j ACCEPT
# Forward anything from the FreeS/WAN virtual interface IPSEC tunnel
iptables -A FORWARD -i $FREESWANVI \
-o $EXTERNAL_INTERFACE -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE \
-o $FREESWANVI -j ACCEPT
# Forward anything between ipsec0 and eth1, subnet to subnet
iptables -A FORWARD -i $FREESWANVI \
-o $LOCAL_INTERFACE_1 -j ACCEPT
iptables -A FORWARD -i $LOCAL_INTERFACE_1 \
-o $FREESWANVI -j ACCEPT
IPSec Established successfully
+ ipsec whack --name L5 --initiate
104 "L5" #13: STATE_MAIN_I1: initiate
003 "L5" #13: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
106 "L5" #13: STATE_MAIN_I2: sent MI2, expecting MR2
003 "L5" #13: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "L5" #13: STATE_MAIN_I3: sent MI3, expecting MR3
004 "L5" #13: STATE_MAIN_I4: ISAKMP SA established
117 "L5" #14: STATE_QUICK_I1: initiate
004 "L5" #14: STATE_QUICK_I2: sent QI2, IPsec SA established
netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.15.0 61.10.102.1 255.255.255.0 UG 0 0 0
ipsec0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
61.10.102.0 0.0.0.0 255.255.254.0 U 0 0 0
eth0
61.10.102.0 0.0.0.0 255.255.254.0 U 0 0 0
ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 61.10.102.1 0.0.0.0 UG 0 0 0
eth0
Kind regards,
Wah Jong
_______________________________________________
Users mailing list
Users@openswan.org
http://lists.openswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic