I'm getting ready to deploy a gateway in a remote field station. We want
the people there to come into our lan for resources there as well as
appear to the internet that they have come form us for other resources
available only to us. I also want to have access through the tunnel to
the gateway for admin. There will be a private lan at the station, nat'ed
by the gateway.
I've been trying to test the connection to a gateway on the same lan here
before deployment. ipsec look shows the tunnel is up. When pinging an
outside host, tcpdump shows ESP packets going from plansg to clansg, but
nothing coming out to the internet and no response. Pinging y.y.y.243
from outside gets no response.
I wonder if this behavior is due to the test connection through the local
lan and things will be ok when the system is deployed. It would be good
to know... the station is remote. If not, what do I need to do?
I would appreciate any observations on this construction.
Freeswan 1.96, Linux 2.4.17 &2.4.18
This is the setup.
(plansg) dynamic/virtual on eth0:1
192.168.0.1/x.x.x.x/y.y.y.243 y.y.y.1 y.y.y.244(clansg)
lan---nat+freeswan+virtualip--isp---isp---router---freeswan+proxyarp+nat
192.168.0.0
ipsec.conf on clansg:
config setup
interfaces=%defaultroute
plutoload=%search
plutostart=%search
conn %default
keyingtries=0
disablearrivalcheck=no
uniqueids=yes
conn plansg-clansg
left=%any
leftsubnet=y.y.y.243/32
leftid = @plansg
leftrsasigkey=0sAQPUSw2Ew0lCc................
right=y.y.y.244
rightsubnet=0.0.0.0/0
rightid=@clansg
rightrsasigkey=0sAQOHHnrafZaWM...............
auto=start
keyexchange=ike
authby=rsasig
lifetime=1h
pfs=yes
Routing table on clansg: this is the testing ip on our lan
Destination Gateway | Genmask Flags Metric Ref Use Iface
y.y.y.243 y.y.y.118 255.255.255.255 UGH 0 0 0 ipsec0
y.y.y.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
y.y.y.0 0.0.0.0 255.255.254.0 U 0 0 0 ipsec0
0.0.0.0 y.y.y.1 0.0.0.0 UG 0 0 0 eth0
proxy_arp=1
ip_forwarding=1
rp_filter=0
iptables:
mangle
Chain PREROUTING (policy DROP)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
ACCEPT all -- anywhere anywhere
nat
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere MARK match 0x1 to:y.y.y.243
----------
Routing table on plansg
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 y.y.y.1 0.0.0.0 UG 40 0 0 eth0
0.0.0.0 y.y.y.1 128.0.0.0 UG 40 0 0 ipsec0
128.0.0.0 y.y.y.1 128.0.0.0 UG 40 0 0 ipsec0
y.y.y.0 0.0.0.0 255.255.254.0 U 40 0 0 eth0
y.y.y.0 0.0.0.0 255.255.254.0 U 40 0 0 ipsec0
(question -- what's 128.0.0.0 for?)
iptables:
nat
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Thanks again for any insight.
Don Hayward don_at_mote.org
Mote Marine Laboratory Voice: 941.388.4441 Cell: 941.302.4982
1600 Ken Thompson Parkway Fax: 941.388.4312
Sarasota, FL 34236 See: http://www.mote.org
Independent, non-profit, marine and estuarine research and education facility.
For PGP public key do: http://www.mote.org/~don/donpgp.asc
use "DISCLAIMER"; # We run Linux,Apache/mod_perl/mod_ssl/eperl,Mysql,DBI/DBD
Taxes feed the starving and clothe the naked.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST