Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Problem with routing from ipsec0 to eth1

From: Howard Ratzlaff (hratzlaff_at_usscript.com)
Date: Thu May 30 2002 - 03:14:55 CEST

Next message: tjoen : "RE: [Users] Problems with Subnet behind road warrior"
Previous message: Sergio A Lima Junior: "[Users] Habilit 3DES in IPSec VPN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Using Redhat 7.1 Kernel 2.4.9

192.168.3.0/24===64.113.193.66---64.113.193.65...63.207.250.1---63.207.250.6
6===192.168.1.0/24

Am able to route local net packets through the VPN tunnel. Tcpdump -i ipsec0
will show left entering and right emerging packets.

Problem is with routing from the ipsec0 to the eth1 (local net). Packets
emerging from the ipsec0 are not forwarded to the local net (destination).
Packet source is the left subnet and the destination is the right subnet.

Both servers are gateway and MASQ the private local net to the public
address

Follows are the relevant firewall file information.

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE="eth1"
IPSEC_INTERFACE="ipsec0"

IPADDR="64.113.193.66"
IPADDR2="192.168.3.4"
LOCALNET="192.168.3.0/24"
IPSECNET="192.168.1.0/24"

ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET -d !
$IPSECNET -j MASQ

# IPSEC
#----------------------------------------------------------------------
# IKE negotiations
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR 500 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 500 -j
ACCEPT

# ESP encryption and authentication
ipchains -A input -p 50 -i $EXTERNAL_INTERFACE -j ACCEPT
ipchains -A output -p 50 -i $EXTERNAL_INTERFACE -j ACCEPT
# Forwarding
# handle packets emerging from IPsec
# ipsec+ means any of ipsec0, ipsec1, ...

ipchains -A forward -s $IPSECNET -i $IPSEC_INTERFACE -j ACCEPT

# simple rule for outbound packets
ipchains -A forward -d $IPSECNET -j ACCEPT

    #ipchains -A forward -d $IPSECNET -s $LOCALNET -j ACCEPT
    ipchains -A forward -d $LOCALNET -s $IPSECNET -i $LOCAL_INTERFACE -j
ACCEPT
    ipchains -A forward -d $IPSECNET -s $LOCALNET -i $IPSEC_INTERFACE -j
ACCEPT

# Unlimited traffic within the ipsec network.

# All internal machines have access to the firewall machine.

ipchains -A input -i $LOCAL_INTERFACE -d $LOCALNET -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE -s $IPSECNET -j ACCEPT

ipchains -A input -i $IPSEC_INTERFACE -d $IPSECNET -j ACCEPT
ipchains -A output -i $IPSEC_INTERFACE -s $LOCALNET -j ACCEPT

ipchains -A input -s $IPSECNET -j ACCEPT
ipchains -A output -d $IPSECNET -j ACCEPT

ipchains -A input -i $LOCAL_INTERFACE -s $LOCALNET -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE -d $LOCALNET -j ACCEPT
#
Routing to the eth0 gateway using MASQ works
Routing to the ipsec0 from the eth1 local net works
Packets emerging from ipsec0 for the eth1 local net with source of the
sending local net are not routed.

Any ideas?

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: tjoen : "RE: [Users] Problems with Subnet behind road warrior"
Previous message: Sergio A Lima Junior: "[Users] Habilit 3DES in IPSec VPN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:08 CEST