Re: IPSec, IPTables, multiple subnets

SilkBC <swasak@xxxxxxxxxxx> wrote:
On Mar 27, 1:46 pm, Clifford Kite <k...@xxxxxxxxxxxxxxxxx> wrote:
Given that I'm no IPSec or iptables expert, you might try this:

iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.0.0/16 -j MASQUERADE

I had considered the above, but thought it would have prevented the
LAN traffic at the main site (10.175.0.0/24) from being masquerated/
nat'd out to the Internet. I gave it a try anyway, and it doesn't
seem to affect that traffic.

Having done that, I have made some progress: from the 10.175.0.0/24
(main site) network, I am able to ping the private gateway IPs of the
routers at the different sites (10.175.x.254) whereas I was not able
to do so previously. I am unable to ping any of the PCs behind the
gateways, however (though I can do so if I SSH to the gateway itself
and start pinging the IPs of the PCs).

I was thinking this may be a routing issue until I was actually able
to ping just one of the PCs in the 10.175.3.0/24 subnet, though I
cannot ping any of the others behind it.

The firewall is not an issue, as it is running the exact same one as
the site with the 10.175.1.0/24 subnet (which is working 100% as it
should). The routing tables are also exactly the same, except for the
local subnet and of course the ISP gateway they have to go through.

Open to any other suggestions... :-)

It smacks of the lack of IP forwarding on the VPN gateways, except
for the one for 10.175.1.0/24 of course. You also might enquire as to
whether there is anything special about the PC that responds to pinging.
That seems to contradict my suggestion: if IP forwarding is missing
on the gateway then no PC should respond and if it isn't then all PCs
should respond.

Anyway, since 10.175.1.0/24 is still 100% with the new rule it seems
like the other subnets should also work with it.

corncob:~# cat /proc/sys/net/ipv4/ip_forward
1

-Alan M.


--
Clifford Kite
.

Relevant Pages

  • Re: IPSec, IPTables, multiple subnets
    ... I am unable to ping any of the PCs behind the ... gateways, however (though I can do so if I SSH to the gateway itself ... the site with the 10.175.1.0/24 subnet (which is working 100% as it ...
    (comp.os.linux.networking)
  • Re: Virtual IP
    ... node in a different subnet ping your virtual IP address. ... the correct network. ... > How to add default gateway for virtual IP address? ...
    (microsoft.public.windows.server.clustering)
  • Re: Will Xbox Extender work on UK/PAL Xboxes?
    ... > It shoudn't but you can remove the gateway on the AP to test it. ... But if I choose DHCP, how will I know what IP it has been assigned? ... >>> Subnet 255.255.255.0 ... >> I can't ping the AP or the PC. ...
    (microsoft.public.windows.mediacenter)
  • Re: how to point to getaway from a different subnet?
    ... > I can ping and access any PC on 192.168.1.x address range from Solaris box ... > even tried to change subnet mask to 255.0.0.0 on Solaris box, ... your gateway is going to be some ... You can ping anything on your subnet without a gateway set on the ...
    (comp.sys.sun.admin)
  • I can see my wifes PC but she cant see mine
    ... I can see all of them from my laptop, ... I can connect, ping, share the resources on the my wife's PC. ... Microsoft's home networking wizard on both PCs. ... Both have subnet of 255.255.255.0. ...
    (microsoft.public.windowsxp.network_web)