Hi all, I''ve configure a VPN with OpenVPN, following your "howto". Everything seems to be OK, but the masquerading. here is the config : subnetA---fwA----inet---fwB---subnetB Classical, isn''t it? On the subnetB, there are 2 sorts of OS : XP(2 boxes) and win9x(2 boxes). If I try to ping from subnetA or fwA XP machines, that sounds good. If I try to ping from subnetA or fwA win9x machines, nothing goes back. To have everything run, I have to add a rule like : iptables -t nat -A POSTROUTING -o ! tun+ -j MASQUERADE and then everything is fine. did you forget something ? have I made some mistake configuring shorewall ? Something is missing on your "howto" page ? Tell me, please. Bye jo
On Tue, 2003-08-05 at 08:01, joel fernandez wrote:> Hi all, > > I''ve configure a VPN with OpenVPN, following your "howto". > Everything seems to be OK, but the masquerading. > here is the config : > > subnetA---fwA----inet---fwB---subnetB > > Classical, isn''t it? > On the subnetB, there are 2 sorts of OS : XP(2 boxes) and win9x(2 boxes). > > If I try to ping from subnetA or fwA XP machines, that sounds good.And what systems are you pinging? The internet? Systems in Subnet B?> If I try to ping from subnetA or fwA win9x machines, nothing goes back.Again, what systems are you trying to ping from subnet A?> > To have everything run, I have to add a rule like : > iptables -t nat -A POSTROUTING -o ! tun+ -j MASQUERADE > > and then everything is fine.On which firewall do you enter this command? What does the routing table look like on the two firewalls?> > did you forget something ? > have I made some mistake configuring shorewall ? > Something is missing on your "howto" page ? > > Tell me, please.>From your description, I have absolutely no idea what problem you aretrying to report. If you answer the above questions, we will have a better idea possibly... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello Tom,> And what systems are you pinging? The internet? Systems in Subnet B? > > >>If I try to ping from subnetA or fwA win9x machines, nothing goes back. > > > Again, what systems are you trying to ping from subnet A? >Sorry if I was so vague in my description. when I try to ping computers on the subnetB from computers on the subnetA or from the firewall A, the reply only comes from boxes (on subnetB)which OS is Win XP. Boxes on subnetB which OS is Win9x don''t answer my ping. ================|| ||===================S 192.168.2.X || OpenVPN Tunnel || 192.168.33.X S U ||============================|| U B || || B N || || N E || || ___Win XP(.4) E T linux----fwA fwB----| T (.224) (.2) (.10) |__Win9x (.5) A || || B || || ||============================|| ================|| OpenVPN Tunnel ||==================== ping 192.168.2.224 --> 192.168.2.2 = OK ping 192.168.2.224 --> 192.168.33.10 = OK ping 192.168.2.224 --> 192.168.33.4 = OK ping 192.168.2.224 --> 192.168.33.5 = not OK ping 192.168.33.10 --> 192.168.33.4 = OK ping 192.168.33.10 --> 192.168.33.5 = OK ping 192.168.2.2 --> 192.168.33.10 = OK ping 192.168.2.2 --> 192.168.33.4 = OK ping 192.168.2.2 --> 192.168.33.5 = not OK>>To have everything run, I have to add a rule like : >>iptables -t nat -A POSTROUTING -o ! tun+ -j MASQUERADE >> >>and then everything is fine.i.e each ping is correct.> On which firewall do you enter this command? What does the routing table > look like on the two firewalls?on both netstat -rn subnet A says: Destination Gateway Genmask Indic MSS Fen?tre irtt Iface e.f.g.h 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0 10.0.10.2 0.0.0.0 255.255.255.255 UH 40 0 0 tun0 192.168.2.0 10.0.10.2 255.255.255.0 UG 40 0 0 tun0 192.168.33.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 0.0.0.0 e.f.g.h 0.0.0.0 UG 40 0 0 ppp0 netstat -rn subnet B says : Destination Gateway Genmask Indic MSS Fen?tre irtt Iface a.b.c.d 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0 10.0.10.33 0.0.0.0 255.255.255.255 UH 40 0 0 tun0 192.168.33.0 10.0.10.33 255.255.255.0 UG 40 0 0 tun0 192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 0.0.0.0 a.b.c.d 0.0.0.0 UG 40 0 0 ppp0 a.b.c.d and e.f.g.h are ip@ISP>>From your description, I have absolutely no idea what problem you are > trying to report. If you answer the above questions, we will have a > better idea possibly... > > -TomSorry again. Hope this is more precise. Bye jo
On Tue, 2003-08-05 at 14:49, joel fernandez wrote:> Hello Tom, > > > And what systems are you pinging? The internet? Systems in Subnet B? > > > > > >>If I try to ping from subnetA or fwA win9x machines, nothing goes back. > > > > > > Again, what systems are you trying to ping from subnet A? > > > Sorry if I was so vague in my description. > when I try to ping computers on the subnetB from computers on the > subnetA or from the firewall A, the reply only comes from boxes (on > subnetB)which OS is Win XP. Boxes on subnetB which OS is Win9x don''t > answer my ping.I suspect that the Win9x box doesn''t have the correct default route. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net