IPSEC tunnel problem

Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a
linux box with Debian Sarge.
The ipsec tunnel goes up and if I try to ping from netgear to every
machine of linux lan it works. But if i ping from linux LAN to
netgears lan it doesn' t work.

I have configured the Netgear with 192.168.1.254/24 as lan address and
88.XX.XX.106/28 as wan address

This is configuration of linuz server:
eth0 Link encap:Ethernet HWaddr 00:00:1C:00:08:8A
inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:
255.255.255.0
inet6 addr: fe80::200:1cff:fe00:88a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88149 errors:1 dropped:0 overruns:0 frame:0
TX packets:87570 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13353060 (12.7 MiB) TX bytes:62792483 (59.8 MiB)
Interrupt:12 Base address:0xc400

eth1 Link encap:Ethernet HWaddr 00:05:1C:04:75:FE
inet addr:195.XX.XX.153 Bcast:195.XX.XX.255 Mask:
255.255.255.0
inet6 addr: fe80::205:1cff:fe04:75fe/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:115218 errors:0 dropped:0 overruns:0 frame:0
TX packets:77161 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:72403824 (69.0 MiB) TX bytes:13581805 (12.9 MiB)
Interrupt:10 Base address:0xc800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1127 errors:0 dropped:0 overruns:0 frame:0
TX packets:1127 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:117810 (115.0 KiB) TX bytes:117810 (115.0 KiB)

remote 88.XX.XX.106 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp768;
}
peers_identifier address "88.XX.XX.106";
verify_identifier on;
}

sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/24 any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}


spdadd 0.0.0.0/0[any] 192.168.1.0/24[any] any -P out ipsec
esp/tunnel/195.XX.XX.153-88.XX.XX.106/require;
#
spdadd 192.168.1.0/24[any] 0.0.0.0/0[any] any -P in ipsec
esp/tunnel/88.XX.XX.106-195.XX.XX.153/require;


# Generated by iptables-save v1.3.6 on Tue Mar 18 17:54:20 2008
*nat
:PREROUTING ACCEPT [2245:134953]
:POSTROUTING ACCEPT [166:46968]
:OUTPUT ACCEPT [149:45271]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 1723 -j DNAT --to-
destination 192.16
8.0.1:1723
-A PREROUTING -i eth1 -p gre -j DNAT --to-destination 192.168.0.1
-A PREROUTING -i eth1 -p udp -m udp --dport 60001 -j DNAT --to-
destination 192.1
68.0.131:60001
-A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Tue Mar 18 17:54:20 2008
# Generated by iptables-save v1.3.6 on Tue Mar 18 17:54:20 2008
*filter
:INPUT ACCEPT [6153:1121189]
:FORWARD ACCEPT [50:7016]
:OUTPUT ACCEPT [4820:760457]
-A FORWARD -s 192.168.0.0/255.255.255.0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Mar 18 17:54:20 2008


Can someone help me??

Hello,

Sandro a écrit :
> Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a
> linux box with Debian Sarge.
> The ipsec tunnel goes up and if I try to ping from netgear to every
> machine of linux lan it works. But if i ping from linux LAN to
> netgears lan it doesn' t work.
[...]
> -A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE

You should exclude the IPsec traffic (both encapsulated and
decapsulated) from the masquerading :

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 \
-d ! 192.168.1.0/24 -j MASQUERADE

PS : if eth1 has a fixed IP address you could use SNAT instead of
MASQUERADE.

On 19 Mar, 11:58, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:
> Hello,
>
> Sandro a écrit :
>
> > Hi, i have to configure an ipsec tunnel beetwen a netgear DG834 and a
> > linux box with Debian Sarge.
> > The ipsec tunnel goes up and if I try to ping from netgear to every
> > machine of linux lan it works. But if i ping from linux LAN to
> > netgears lan it doesn' t work.
> [...]
> > -A POSTROUTING -o eth1 -s 192.168.0.0/255.255.255.0 -j MASQUERADE
>
> You should exclude the IPsec traffic (both encapsulated and
> decapsulated) from the masquerading :
>
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 \
> * *-d ! 192.168.1.0/24 -j MASQUERADE
>
> PS : if eth1 has a fixed IP address you could use SNAT instead of
> MASQUERADE.

Thank you, it works!!