Hi, I'am running IPSEC on a SuSE 7.2 an very important is that you NOT masquerade your non-public IP adress range if the destination is a non-public IP adress range! For me it was the command as follow: iptables -t nat -A POSTROUTING -o eth1 -d \! 192.168.0.0/16 -j MASQUERADE Source: http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/faq.html#masq.faq Hope that helps a bit... Greetings Kai
On Wednesday 03 July 2002 19.36, Stefan Nowak wrote:
Stefan Nilsen schrieb:
My /etc/sysconfig/SuSEfirewall2 config (only diff's from /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf): ----------------- FW_DEV_EXT="eth0 ipsec0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50"
I'm not sure, but have a look at your masquerading device - if I understood it right you may try to masquerade ipsec0 and not eth0 ... ?
I ping 192.168.1.10 from 192.168.3.10
When I use FW_MASQ_DEV="ipsec0" on left GW i get the following on the right GW: ----------- Jul 3 19:38:48 xpfwl kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=194.194.194.200 DST=192.168.1.10 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=55823 SEQ=256 ------------
When I use the default FW_MASQ_DEV="$FW_DEV_EXT" (or FW_MASQ_DEV="eth0 ipsec0") on left GW i get the following on the right GW: ------------ Jul 3 19:39:47 xpfwl kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=ipsec0 OUT= MAC=00:c0:df:11:1b:c4:00:00:e8:43:ce:a3:08:00 SRC=194.194.194.200 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=57359 SEQ=256 -------------
I thought it is like that:
Internal net --> eth1 --> BOX --> ipsec0 --> Tunnel --> eth0 --> Router ...?!
Any ideas?
No, sorry. It looks correct.