 |
 |
|
|
|
|
Welcome to the { mindfrost82.com } forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact us. |
|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Display Modes |
03-19-2008, 10:28 AM
|
|||
|
|||
|
IPSEC tunnel problem
Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a
linux box with Debian Sarge. The ipsec tunnel goes up and if I try to ping from netgear to every machine of linux lan it works. But if i ping from linux LAN to netgears lan it doesn' t work. I have configured the Netgear with 192.168.1.254/24 as lan address and 88.XX.XX.106/28 as wan address This is configuration of linuz server: eth0 Link encap:Ethernet HWaddr 00:00:1C:00:08:8A inet addr:192.168.0.254 Bcast:192.168.0.255 Mask: 255.255.255.0 inet6 addr: fe80::200:1cff:fe00:88a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:88149 errors:1 dropped:0 overruns:0 frame:0 TX packets:87570 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:13353060 (12.7 MiB) TX bytes:62792483 (59.8 MiB) Interrupt:12 Base address:0xc400 eth1 Link encap:Ethernet HWaddr 00:05:1C:04:75:FE inet addr:195.XX.XX.153 Bcast:195.XX.XX.255 Mask: 255.255.255.0 inet6 addr: fe80::205:1cff:fe04:75fe/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:115218 errors:0 dropped:0 overruns:0 frame:0 TX packets:77161 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:72403824 (69.0 MiB) TX bytes:13581805 (12.9 MiB) Interrupt:10 Base address:0xc800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1127 errors:0 dropped:0 overruns:0 frame:0 TX packets:1127 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:117810 (115.0 KiB) TX bytes:117810 (115.0 KiB) remote 88.XX.XX.106 { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp768; } peers_identifier address "88.XX.XX.106"; verify_identifier on; } sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/24 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } spdadd 0.0.0.0/0[any] 192.168.1.0/24[any] any -P out ipsec esp/tunnel/195.XX.XX.153-88.XX.XX.106/require; # spdadd 192.168.1.0/24[any] 0.0.0.0/0[any] any -P in ipsec esp/tunnel/88.XX.XX.106-195.XX.XX.153/require; # Generated by iptables-save v1.3.6 on Tue Mar 18 17:54:20 2008 *nat :PREROUTING ACCEPT [2245:134953] :POSTROUTING ACCEPT [166:46968] :OUTPUT ACCEPT [149:45271] -A PREROUTING -i eth1 -p tcp -m tcp --dport 1723 -j DNAT --to- destination 192.16 8.0.1:1723 -A PREROUTING -i eth1 -p gre -j DNAT --to-destination 192.168.0.1 -A PREROUTING -i eth1 -p udp -m udp --dport 60001 -j DNAT --to- destination 192.1 68.0.131:60001 -A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE COMMIT # Completed on Tue Mar 18 17:54:20 2008 # Generated by iptables-save v1.3.6 on Tue Mar 18 17:54:20 2008 *filter :INPUT ACCEPT [6153:1121189] :FORWARD ACCEPT [50:7016] :OUTPUT ACCEPT [4820:760457] -A FORWARD -s 192.168.0.0/255.255.255.0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Tue Mar 18 17:54:20 2008 Can someone help me?? 
|
|
03-19-2008, 11:58 AM
|
|||
|
|||
|
Re: IPSEC tunnel problem
Hello,
Sandro a écrit : > Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a > linux box with Debian Sarge. > The ipsec tunnel goes up and if I try to ping from netgear to every > machine of linux lan it works. But if i ping from linux LAN to > netgears lan it doesn' t work. [...] > -A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE You should exclude the IPsec traffic (both encapsulated and decapsulated) from the masquerading : iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 \ -d ! 192.168.1.0/24 -j MASQUERADE PS : if eth1 has a fixed IP address you could use SNAT instead of MASQUERADE.
|
|
03-19-2008, 01:33 PM
|
|||
|
|||
|
Re: IPSEC tunnel problem
On 19 Mar, 11:58, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote: > Hello, > > Sandro a écrit : > > > Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a > > linux box with Debian Sarge. > > The ipsec tunnel goes up and if I try to ping from netgear to every > > machine of linux lan it works. But if i ping from linux LAN to > > netgears lan it doesn' t work. > [...] > > -A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE > > You should exclude the IPsec traffic (both encapsulated and > decapsulated) from the masquerading : > > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 \ > * *-d ! 192.168.1.0/24 -j MASQUERADE > > PS : if eth1 has a fixed IP address you could use SNAT instead of > MASQUERADE. Thank you, it works!!
|
|
|
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Linear Mode
