Re: [Users] packets don't know how to leave the gw

From: Nico Baggus (mlfreeswan_at_noci.xs4all.nl)
Date: Thu Nov 28 2002 - 20:57:42 CET

• Next message: inet: "[Users] A funny game"
• Previous message: Sam Sgro: "Re: [Users] Vigor2600 DSL router and FreeS/WAN"
• In reply to: Sam Sgro: "Re: [Users] packets don't know how to leave the gw"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Thursday 28 November 2002 08:31, Sam Sgro wrote:
> On Wed, 27 Nov 2002, Vicente Vives wrote:
> > Hi. I have a problem im my freeswan gw.
> > Packets arrive to the gw but they don't know how to leave the gw:
> > example, in /var/log/message:
> > Nov 26 17:29:45 gateway kernel: VPN :IN=eth0 OUT=
> > MAC=00:00:00:00:00:00:00:c0:49:44:ec:13:08:00 SRC=warrior_ip
> > DST=gw_external_ip LEN=84 TOS=0x00 PREC=0x00 TTL=115 ID=14561 PROTO=UDP
> > SPT=500 DPT=500 LEN=64
> > where IN=public iface and OUT=should be private iface but it's empty.
>
> Why should OUT be the private interface? If this is a negotiation attempt,
> then the Roadwarriors means to communicate with the gw's external IP. If
> this is the first packet in a negotiation attempt, it certainly seems
> reasonable.
>
If you mean to have the packets to go to an inside interface then you need to
add NAT rules that alter the destination address as soon as the packets come
in. (DNAT rules...)

BTW the rules supplied don't log anything so there probably something missing
still.

IN= is filled in on packet destined FOR the system,
OUT= is filled in on packets leaving the system,
IN= & OUT= are both filled in on packets that pass through the system.

Just lookup more examples on firewalls (google for iptables) if you want to
build one a usable tool to build rulesets is f.e. fwbuilder (sourceforge).

> Do you see any log messages that indicate FreeS/WAN receives this
> initiation attempt?
>
> > Yesterday I made this question to the #freeswan irc channel and some
> > people told me that the problem could be the firewall rules.
> > I think fireewall rules are correct:
> > $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> > $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
> > $IPTABLES -A INPUT -p 50 -j ACCEPT
> > $IPTABLES -A OUTPUT -p 50 -j ACCEPT
> > $IPTABLES -A INPUT -p 51 -j ACCEPT
> > $IPTABLES -A OUTPUT -p 51 -j ACCEPT
> > $IPTABLES -A FORWARD -d $IF_LAN -i ipsec+ -j ACCEPT
> > and somebody suggested me:
> > $IPTABLES -A FORWARD -p udp --sport 500 --dport 500 -j ACCEPT
> > and there is not any other rule which can drop freeswan paquets to/from
> > gateway.
> > This morning i asked this question to the channel and someone told me to
> > modified iptables to don't drop anything (everything was accepted) but
> > it didn't work.
> > Do you have any suggestion?

Kind regards,
Nico
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: inet: "[Users] A funny game"
• Previous message: Sam Sgro: "Re: [Users] Vigor2600 DSL router and FreeS/WAN"
• In reply to: Sam Sgro: "Re: [Users] packets don't know how to leave the gw"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Nov 29 2002 - 05:21:11 CET