Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] free/SWAN and SuSEfirewall2 (iptables)
  • From: "Bernhard Held" <bheld@xxxxxxx>
  • Date: Mon, 9 Sep 2002 16:02:40 +0200
  • Message-id: <01d001c25809$917662c0$58061bac@xxxxxxx>
> The Subnet between inner-router and firewall has the
> range 192.168.51.0/24.

> ...

> Destination Gateway Genmask Flags MSS Window irtt
Iface
> 0.0.0.0 195.90.31.254 0.0.0.0 UG 40 0 0
eth0
> 193.159.64.92 190.91.41.254 255.255.255.255 UGH 40 0 0
ipsec0
> 190.91.41.0 0.0.0.0 255.255.255.0 U 40 0 0
eth0
> 190.91.41.0 0.0.0.0 255.255.255.0 U 40 0 0
ipsec0

I can't find a route to the "inner router" in the subnet 192.168.51.0/24
given above. Can you ping the hosts in 192.168.0.0/16 from the firewall? If
not, then it won't possible through the VPN.

>up-client:)
> # connection to my client subnet coming up
> # If you are doing a custom version, firewall commands go here.
> iptables -I FORWARD 1 -s
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j
ACCEPT
> iptables -I FORWARD 1 -d
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j
ACCEPT
Did you configure the left/right-protoports in ipsec.conf?
Maybe you can post your ipsec.conf.

`iptables -L -nv` shows the packet counter of the rules. You can check, if
the rules are hit.

tcpdump is always a big help to see, if packets leave or arrive at your
firewall.

Bernhard



< Previous Next >
References