|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: [Users] Problems with NAT and IPSEC
Date: Fri Sep 26 2003 - 05:37:22 EDT
> I understand that this is telling me that I do not have my iptables
You made a mistake here.
-A POSTROUTING -o eth1 -d 172.16.0.0/12 matches all
packets that go to 172.16/12 over eth1. Well, those
are exactly none at all. All packets to 172.16/12
go over the virtual interface ipsec0 first and
get encapsulated into ip proto 50 over eth1, yet
the kernel can't see them anymore.
So the rule has to look like:
iptables -t nat -A POSTROUTING -o ipsec0 -s 10.146.135.0/24 \ -d 172.16.0.0/12 -j ACCEPT
This kinda breaks though if ipsec0 is not available to that time. I advise to let FreeS/WAN handle the firewall rules. See below.
> Is far as I've been able to tell, this tells the iptables to
Nope, as already explained above.
> conn tunnel-1
> type=tunnel
> keyingtries=0
> left=24.247.119.74
> leftsubnet=10.146.135.0/24
> leftnexthop=24.247.116.1
> right=204.146.136.1
> rightsubnet=10.146.136.0/24
Add a
leftfirewall=yes
to your connections (or right, depending on where the FreeS/WAN resides). Then FreeS/WAN will make the ACCEPT rule to the firewall so the packets don't get NATed.
regards
sash
-- Sascha Runschke Abteilung IT-Services phinware AG D-40237 Düsseldorf, Grafenberger Allee 125 phinfon: +49 (0)211 16686-514 phinmail: sascha.runschke@phinware.de phinfax: +49 (0)211 16686-666 phinweb: http://www.phinware.de _______________________________________________ FreeS/WAN Users mailing list users@lists.freeswan.org https://mj2.freeswan.org/cgi-bin/mj_wwwusrReceived on Fri Sep 26 05:48:05 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:01:33 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |