1. Home
  2. Virtual Private Networks
  3. OpenSWAN vs. iptables

OpenSWAN vs. iptables

I have two Ubuntu-server boxes, as gateways on two different networks: each one has two NIC, eth0 to the LAN, eth1 to the Internet. I set up OpenSWAN on both machines and iptables like this:

iptables -A INPUT -p esp -i eth1 -j ACCEPT iptables -A OUTPUT -p esp -o eth1 -j ACCEPT iptables -A INPUT -p udp -m udp -i eth1 --dport 500 -j ACCEPT iptables -A INPUT -p udp -m udp -i eth1 --dport 4500 -j ACCEPT

The tunnel is established correctly, but I cannot ping. I guess it is because a drop all ping requests from the Internet on eth1, so I wonder if I can tell OpenSWAN to create a virtual interface to use for the tunnel and use that interface to make iptables rules and accept traffic. I tried to set on "conn setup": interfaces="ipsec0=eth1" but I can no see a ipsec0 interface on my machine...

Reply to
Heruan
Loading thread data ...

Assuming you have a default block any at the end, you need to allow the pings in your iptables rules.

Reply to
Joe Beasley

Ok, but can I make a virtual interfaces to distinguish eth1 -->

Internet, ipsec0 --> tunnel?

Reply to
Heruan

You should not need the virtual interfaces....

Just use the source/destination.

Reply to
Joe Beasley

Ok, thank you! I added to my rules: iptables -A INPUT -p esp -i eth1 -j ACCEPT iptables -A OUTPUT -p esp -o eth1 -j ACCEPT iptables -A INPUT -p udp -i eth1 --dport 500 -j ACCEPT iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT

to establish the tunnel and permit communication from the subnet

192.168.0.0/24 but I still cannot ping or telnet to any services.

It is not less secure using source/destination instead virtual interface? From virtual interface I know that those packets are coming from the other end of the tunnel, accepting traffic from a subnet source I feel a little less secure... isn't it?

Reply to
Heruan

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.