IPSEC tunnel problem - Networking

This is a discussion on IPSEC tunnel problem - Networking ; Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a linux box with Debian Sarge. The ipsec tunnel goes up and if I try to ping from netgear to every machine of linux lan it works. ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: IPSEC tunnel problem

  1. IPSEC tunnel problem

    Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a
    linux box with Debian Sarge.
    The ipsec tunnel goes up and if I try to ping from netgear to every
    machine of linux lan it works. But if i ping from linux LAN to
    netgears lan it doesn' t work.

    I have configured the Netgear with 192.168.1.254/24 as lan address and
    88.XX.XX.106/28 as wan address

    This is configuration of linuz server:
    eth0 Link encap:Ethernet HWaddr 00:00:1C:00:08:8A
    inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:
    255.255.255.0
    inet6 addr: fe80::200:1cff:fe00:88a/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:88149 errors:1 dropped:0 overruns:0 frame:0
    TX packets:87570 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:13353060 (12.7 MiB) TX bytes:62792483 (59.8 MiB)
    Interrupt:12 Base address:0xc400

    eth1 Link encap:Ethernet HWaddr 00:05:1C:04:75:FE
    inet addr:195.XX.XX.153 Bcast:195.XX.XX.255 Mask:
    255.255.255.0
    inet6 addr: fe80::205:1cff:fe04:75fe/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:115218 errors:0 dropped:0 overruns:0 frame:0
    TX packets:77161 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:72403824 (69.0 MiB) TX bytes:13581805 (12.9 MiB)
    Interrupt:10 Base address:0xc800

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:1127 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1127 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:117810 (115.0 KiB) TX bytes:117810 (115.0 KiB)

    remote 88.XX.XX.106 {
    exchange_mode main;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm md5;
    authentication_method pre_shared_key;
    dh_group modp768;
    }
    peers_identifier address "88.XX.XX.106";
    verify_identifier on;
    }

    sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/24 any {
    pfs_group modp768;
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    }


    spdadd 0.0.0.0/0[any] 192.168.1.0/24[any] any -P out ipsec
    esp/tunnel/195.XX.XX.153-88.XX.XX.106/require;
    #
    spdadd 192.168.1.0/24[any] 0.0.0.0/0[any] any -P in ipsec
    esp/tunnel/88.XX.XX.106-195.XX.XX.153/require;


    # Generated by iptables-save v1.3.6 on Tue Mar 18 17:54:20 2008
    *nat
    :PREROUTING ACCEPT [2245:134953]
    :POSTROUTING ACCEPT [166:46968]
    :OUTPUT ACCEPT [149:45271]
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 1723 -j DNAT --to-
    destination 192.16
    8.0.1:1723
    -A PREROUTING -i eth1 -p gre -j DNAT --to-destination 192.168.0.1
    -A PREROUTING -i eth1 -p udp -m udp --dport 60001 -j DNAT --to-
    destination 192.1
    68.0.131:60001
    -A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE
    COMMIT
    # Completed on Tue Mar 18 17:54:20 2008
    # Generated by iptables-save v1.3.6 on Tue Mar 18 17:54:20 2008
    *filter
    :INPUT ACCEPT [6153:1121189]
    :FORWARD ACCEPT [50:7016]
    :OUTPUT ACCEPT [4820:760457]
    -A FORWARD -s 192.168.0.0/255.255.255.0 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    COMMIT
    # Completed on Tue Mar 18 17:54:20 2008


    Can someone help me??

  2. Re: IPSEC tunnel problem

    Hello,

    Sandro a écrit :
    > Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a
    > linux box with Debian Sarge.
    > The ipsec tunnel goes up and if I try to ping from netgear to every
    > machine of linux lan it works. But if i ping from linux LAN to
    > netgears lan it doesn' t work.

    [...]
    > -A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE


    You should exclude the IPsec traffic (both encapsulated and
    decapsulated) from the masquerading :

    iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 \
    -d ! 192.168.1.0/24 -j MASQUERADE

    PS : if eth1 has a fixed IP address you could use SNAT instead of
    MASQUERADE.

  3. Re: IPSEC tunnel problem

    On 19 Mar, 11:58, Pascal Hambourg
    wrote:
    > Hello,
    >
    > Sandro a écrit :
    >
    > > Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a
    > > linux box with Debian Sarge.
    > > The ipsec tunnel goes up and if I try to ping from netgear to every
    > > machine of linux lan it works. But if i ping from linux LAN to
    > > netgears lan it doesn' t work.

    > [...]
    > > -A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE

    >
    > You should exclude the IPsec traffic (both encapsulated and
    > decapsulated) from the masquerading :
    >
    > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 \
    > * *-d ! 192.168.1.0/24 -j MASQUERADE
    >
    > PS : if eth1 has a fixed IP address you could use SNAT instead of
    > MASQUERADE.


    Thank you, it works!!

+ Reply to Thread