From: Whit Blauvelt (whit_at_transpect.com)
Date: Thu Aug 22 2002 - 18:18:21 CEST
20 hours after sending this, it hasn't come back via the list and isn't in
the archives. Since it establishes the context for two followups - only the
last of which made the archives yet - accept my apologies if this gets to
anyone as a duplicate. I assume the listserver has a problem
----- Forwarded message from Whit Blauvelt <whit_at_transpect.com> -----
Date: Wed, 21 Aug 2002 16:17:14 -0400
From: Whit Blauvelt <whit_at_transpect.com>
To: users_at_lists.freeswan.org
Subject: iptables SNAT - what rules for FreeS/WAN?
User-Agent: Mutt/1.2.5i
Setting up 1.97 (because I'll need to use NAT-T), and following the recipe
for a net-to-net connection from the current snapshot docs (which are
getting much clearer - good work!), initiation looks good (this isn't
through a NAT yet):
# ipsec auto --up net-to-net
104 "net-to-net" #3: STATE_MAIN_I1: initiate
003 "net-to-net" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
106 "net-to-net" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "net-to-net" #3: discarding duplicate packet; already STATE_MAIN_I2
003 "net-to-net" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00: no NAT detected
108 "net-to-net" #3: STATE_MAIN_I3: sent MI3, expecting MR3
003 "net-to-net" #3: discarding duplicate packet; already STATE_MAIN_I3
004 "net-to-net" #3: STATE_MAIN_I4: ISAKMP SA established
112 "net-to-net" #4: STATE_QUICK_I1: initiate
004 "net-to-net" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
But then I can't ping from either subnet. Dang it. I'm sure I must have
iptables set up wrong, but haven't found a clear example of what the rules
should be for SNAT (not MASQ). Since I'm committed to SNAT at this point
(it's a lot more efficient, among other things), but don't have a clear
image of the relation of FreeS/WAN to the SNAT process, I'm not sure what's
wrong with the rules as I have them, which are based on MASQ examples:
This part seems fine, since the connection establishes okay:
# allow IPsec
#
# IKE negotiations
$INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encrypton and authentication
$INPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
Before invoking SNAT I have:
# don't SNAT IPsec
iptables -t nat -A POSTROUTING -o ipsec+ -j ACCEPT
Followed by the SNAT statement itself which exempts the remote subnet:
iptables -t nat -A POSTROUTING -o $EXT_IFACE -s $INT_NET -d ! 192.168.1.0/24 -j SNAT --to $IP1
"ip route" (running iproute2) looks good since it includes:
192.168.1.0/24 via 216.254.75.1 dev ipsec0
- or should that be showing a "via" which is not the public nexthop?
(This _might_ be complicated by the fact that the external, eth0 interfaces
at both ends are handling multiple real (not virtual - this is iproute2)
IPs. I don't think it should be, but mention it because FreeS/WAN might not
be expecting this situation.)
I'm missing something obvious - but not to me, and if the docs or list have
the answer or trouble-shooting methodology, I haven't found it yet. The
firewall logs aren't showing any drops here. Ideas?
Thanks,
Whit
----- End forwarded message -----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Fri Aug 23 2002 - 00:20:21 CEST