Re: [Users] Nat traversal problem

From: mlafon_at_arkoon.net
Date: Mon Sep 16 2002 - 17:52:18 CEST

Next message: Jorge: "Re: [Users] Nat traversal problem"
Previous message: Dominique Blas: "Re: [Users] nat_traversal=yes between 2 freeswan => master is DEAF to IKE nego"
Maybe in reply to: Jorge: "[Users] Nat traversal problem"
Next in thread: Jorge: "Re: [Users] Nat traversal problem"
Reply: Jorge: "Re: [Users] Nat traversal problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You must not masq your vpn traffic.

Add theses lines before the others :
$IPCHAINS -A forward -j ACCEPT -i eth2 -s $IPLAN1/$MASKLAN1 -d 192.168.1.0/24
$IPCHAINS -A forward -j ACCEPT -i eth2 -s $IPLAN2/$MASKLAN2 -d 192.168.1.0/24
$IPCHAINS -A forward -j ACCEPT -i eth3 -s $IPLAN1/$MASKLAN1 -d 192.168.1.0/24
$IPCHAINS -A forward -j ACCEPT -i eth3 -s $IPLAN2/$MASKLAN2 -d 192.168.1.0/24

-- Math.

"Jorge" <jcastellet_at_infalsys.es> le 16/09/2002 17:39:55

Pour : Mathieu Lafon/Arkoon cc : lists_at_users.freeswan.org

Objet : Re: [Users] Nat traversal problem

Networks behind Linux Box are nated, this is the block diagram:

I use ipchains in kernel 2.2.19 on a debian Box.

But rules on forward are ok(ż?):

$IPCHAINS -A forward -j ACCEPT -i ipsec0 -l

$IPCHAINS -A forward -j MASQ -i eth2 -s $IPLAN1/$MASKLAN1
$IPCHAINS -A forward -j MASQ -i eth2 -s $IPLAN2/$MASKLAN2
$IPCHAINS -A forward -j MASQ -i eth3 -s $IPLAN1/$MASKLAN1
$IPCHAINS -A forward -j MASQ -i eth3 -s $IPLAN2/$MASKLAN2

$IPCHAINS -A forward -j ACCEPT -l

Regard,
Jorge

----- Original Message -----
From: <mlafon_at_arkoon.net>
To: "Jorge" <jcastellet_at_infalsys.es>
Cc: <users_at_lists.freeswan.org>
Sent: Monday, September 16, 2002 5:24 PM
Subject: Re: [Users] Nat traversal problem

>
>
>
> > IP: ihl:20 ver:4 tos:0 tlen:84 id:39363 frag_off:0 ttl:64 proto:1
(ICMP)
> > chk:62425 saddr:W.X.Y.Z daddr:192.168.1.101 type:code=8:0
> > ipsec_findroute: W.X.Y.Z->192.168.1.101
>
> Why does your ping comes from W.X.Y.Z and not from 192.168.10.xx. Are you
> masquerading this connection ?
>
> The ping comes from an host behind your freeswan, isn't it ?
>
> --
> Math.
>
>
>
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Jorge: "Re: [Users] Nat traversal problem"
Previous message: Dominique Blas: "Re: [Users] nat_traversal=yes between 2 freeswan => master is DEAF to IKE nego"
Maybe in reply to: Jorge: "[Users] Nat traversal problem"
Next in thread: Jorge: "Re: [Users] Nat traversal problem"
Reply: Jorge: "Re: [Users] Nat traversal problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 17 2002 - 05:20:06 CEST