OpenWrt Forum Archive

Topic: OpenSWAN to IPCOP IPSEC site to site vpn connected but no traffic

The content of this topic has been archived on 7 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
oopstu
18 Feb 2007, 07:56

Hi All,

I'm banging my head against the wall after a couple of days of trying to get this right and trying hard to read docs and get myself sorted out. 

I have an ipcop machine that's running a net to net vpn to another ipcop machine and it's running great. 

I have an openwrt install on a third network (home) with openswan installed and am trying to configure it to be another net to net vpn.

I've got ipsec.conf configured like the examples and / or like my ipcop machines with the same result every time:

1. VPN connects, everything appears connected on Ipcop side and on Openwrt side through openswan.

2. From any machine on the IPCOP network (10.4.10.x) I can ping the open wrt box's green ip (192.168.4.1), but no other machine on the openwrt side's network.

3. From any machine on the openwrt network (192.168.4.x) I CANNOT ping any machine on the 10.4.10.x network.

4. From any machine on the openwrt network (192.168.4.x) I CANNOT ping the IPCOP machine itself (10.4.10.1)

I'm almost positive this has something to do with my iptables setup.  I struggle with iptables though.  I've tried several settings from this lists postings and openswan wiki. 

I currently have the following:  (Mostly commented out)

#iptables -t nat -A postrouting_rule -o eth0 -s 192.168.4.0/24 -d \! 10.4.10.0/24 -j MASQUERADE
iptables -A input_rule -p esp -s 11.111.11.11              -j ACCEPT  # allow IPSEC         
iptables -A input_rule -p udp -s 11.111.11.11 --dport 500  -j ACCEPT  # allow ISAKMP         
iptables -A input_rule -p udp -s 11.111.11.11 --dport 4500 -j ACCEPT  # allow NAT-T         
#iptables -t nat -A postrouting_rule -d 10.4.10.0/24 -j ACCEPT                               
#iptables -A forwarding_rule -i eth1 -o ipsec0 -j ACCEPT                                     
#iptables -A forwarding_rule -i ipsec0 -o eth1 -j ACCEPT

I've tried to copy the iptables rules that are on the ipcop side and it seems to work from from itself to another ipcop machine but I can't find any iptable settings that relate to the vpn connections.

Can anyone recomend something to try? 

Thanks,
Stu

Post #2
oopstu
18 Feb 2007, 08:14

Small Update to my own message. 

I added a couple of iptables rules that I found in ipcop's config:

iptables -A INPUT   -i ipsec+ -j ACCEPT                                                       
iptables -A FORWARD -i ipsec+ -j ACCEPT

This allows me now to ping and connect to any computer behind the OpenWRT device from the 10.4.10.x network, but I still can't ping / connect to the computers on the remote side from behind the OpenWRT machine.

Post #3
oopstu
7 Mar 2007, 03:48

Sweet Lover I found my answer!

The following must be in firewall.user   

I got this all from: http://proclos.org/tutorials/openwrt-al … y-openswan

I surely hopes this helps someone else!

### allow ipsec traffic from your wan port to the router
iptables -A input_wan -p esp              -j ACCEPT # allow IPSEC
iptables -A input_wan -p udp --dport 500  -j ACCEPT # allow ISAKMP
iptables -A input_wan -p udp --dport 4500 -j ACCEPT # allow NAT-T

### disable nat for the remote peer subnet, in this example 192.168.2.0/24
iptables -t nat -A postrouting_rule -d 192.168.2.0/24 -j ACCEPT

### Allow any traffic between your local LAN and remote peer LAN
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT
.

The discussion might have continued from here.