IPSEC tunnel problem

This is a discussion on IPSEC tunnel problem within the Linux Networking forums, part of the Linux Forums category; Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a linux box with Debian Sarge. The ...


Go Back   Usenet Forums > Linux Forums > Linux Networking

Reload this Page IPSEC tunnel problem

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 03-19-2008
Sandro
 
Posts: n/a
Default IPSEC tunnel problem
Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a
linux box with Debian Sarge.
The ipsec tunnel goes up and if I try to ping from netgear to every
machine of linux lan it works. But if i ping from linux LAN to
netgears lan it doesn' t work.

I have configured the Netgear with 192.168.1.254/24 as lan address and
88.XX.XX.106/28 as wan address

This is configuration of linuz server:
eth0 Link encap:Ethernet HWaddr 00:00:1C:00:08:8A
inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:
255.255.255.0
inet6 addr: fe80::200:1cff:fe00:88a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88149 errors:1 dropped:0 overruns:0 frame:0
TX packets:87570 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13353060 (12.7 MiB) TX bytes:62792483 (59.8 MiB)
Interrupt:12 Base address:0xc400

eth1 Link encap:Ethernet HWaddr 00:05:1C:04:75:FE
inet addr:195.XX.XX.153 Bcast:195.XX.XX.255 Mask:
255.255.255.0
inet6 addr: fe80::205:1cff:fe04:75fe/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:115218 errors:0 dropped:0 overruns:0 frame:0
TX packets:77161 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:72403824 (69.0 MiB) TX bytes:13581805 (12.9 MiB)
Interrupt:10 Base address:0xc800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1127 errors:0 dropped:0 overruns:0 frame:0
TX packets:1127 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:117810 (115.0 KiB) TX bytes:117810 (115.0 KiB)

remote 88.XX.XX.106 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp768;
}
peers_identifier address "88.XX.XX.106";
verify_identifier on;
}

sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/24 any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}


spdadd 0.0.0.0/0[any] 192.168.1.0/24[any] any -P out ipsec
esp/tunnel/195.XX.XX.153-88.XX.XX.106/require;
#
spdadd 192.168.1.0/24[any] 0.0.0.0/0[any] any -P in ipsec
esp/tunnel/88.XX.XX.106-195.XX.XX.153/require;


# Generated by iptables-save v1.3.6 on Tue Mar 18 17:54:20 2008
*nat
:PREROUTING ACCEPT [2245:134953]
:POSTROUTING ACCEPT [166:46968]
:OUTPUT ACCEPT [149:45271]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 1723 -j DNAT --to-
destination 192.16
8.0.1:1723
-A PREROUTING -i eth1 -p gre -j DNAT --to-destination 192.168.0.1
-A PREROUTING -i eth1 -p udp -m udp --dport 60001 -j DNAT --to-
destination 192.1
68.0.131:60001
-A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Tue Mar 18 17:54:20 2008
# Generated by iptables-save v1.3.6 on Tue Mar 18 17:54:20 2008
*filter
:INPUT ACCEPT [6153:1121189]
:FORWARD ACCEPT [50:7016]
:OUTPUT ACCEPT [4820:760457]
-A FORWARD -s 192.168.0.0/255.255.255.0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Mar 18 17:54:20 2008


Can someone help me??
Reply With Quote
  #2 (permalink)  
Old 03-19-2008
Pascal Hambourg
 
Posts: n/a
Default Re: IPSEC tunnel problem
Hello,

Sandro a écrit :
> Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a
> linux box with Debian Sarge.
> The ipsec tunnel goes up and if I try to ping from netgear to every
> machine of linux lan it works. But if i ping from linux LAN to
> netgears lan it doesn' t work.
[...]
> -A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE

You should exclude the IPsec traffic (both encapsulated and
decapsulated) from the masquerading :

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 \
-d ! 192.168.1.0/24 -j MASQUERADE

PS : if eth1 has a fixed IP address you could use SNAT instead of
MASQUERADE.
Reply With Quote
  #3 (permalink)  
Old 03-19-2008
Sandro
 
Posts: n/a
Default Re: IPSEC tunnel problem
On 19 Mar, 11:58, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:
> Hello,
>
> Sandro a écrit :
>
> > Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a
> > linux box with Debian Sarge.
> > The ipsec tunnel goes up and if I try to ping from netgear to every
> > machine of linux lan it works. But if i ping from linux LAN to
> > netgears lan it doesn' t work.
> [...]
> > -A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE
>
> You should exclude the IPsec traffic (both encapsulated and
> decapsulated) from the masquerading :
>
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 \
> * *-d ! 192.168.1.0/24 -j MASQUERADE
>
> PS : if eth1 has a fixed IP address you could use SNAT instead of
> MASQUERADE.

Thank you, it works!!
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 03:56 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0