Guillermo, There are a few things that need to be done when IPSEC in order to traverse the tunnel. First and foremost you need to NOT masquerade the IPSEC packets. Here's how what is accomplished. Change: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE To iptables -t nat -A POSTROUTING -p ! esp -o eth1 -j MASQUERADE IPSEC will go through iptables twice. First for the IPSEC encoded packets and finally the decoded packets. You don't want to run the decoded packets through the POSTROUTING NAT a second time. So "-p ! esp" becomes your friend here. Second, you now have private traffic coming in your firewall on the external interface (because of this second parsing of the packets). So you need your rules to reflect that. You might want to log everything before you drop to see what might be getting caught that shouldn't be. Also, you will need to turn on IP forwarding on the firewall (Which might also be your problem). Gary > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Guillermo Calvo > Sent: Thursday, August 25, 2005 8:31 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: ipsec nat and iptables > > > Hello > > I'm trying to setup a network to network vpn using native ipsec support > on Centos 4.1 > > > Network A > eth0= conected to internet > eth1= conected to private lan 192.168.1.1 > > Network B > eth0 conected to Internet > eth1= conected to private lan 192.168.2.1 > > >From server A I'm able to ping 192.168.2.1 and viceversa but computers > in the private lan can't see the other side > > I'm using pre-shared keys also I set nat_transversal in racoon > > Also I set my servers like iptables router > iptables -A INPUT -m state --state INVALID -j DROP > iptables -A FORWARD -m state --state INVALID -j DROP > iptables -A OUTPUT -m state --state INVALID -j DROP > > iptables -A FORWARD -i eth1 -o eth0 > iptables -A FORWARD -i eth0 -o eth1 > > iptables -P INPUT DROP > iptables -P FORWARD DROP > > iptables -A INPUT -i eth0 -j ACCEPT > iptables -A INPUT -i ethY -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > > Thanks in advance > > Guillermo Calvo >
