I followed the tutorial from
megaz.arbuz.com/archives/2005/01/28/linux-vpn-guide/1
jacco2.dds.nl/networking/
and got it working in some way. My network is like this
client(192.168.0.4)<-->(192.168.0.1)Router(x.x.x.x)<-->Internet<-->(x.x.x.x)Router(192.168.0.1)<-->(192.168.0.2)Firewall/dhcp(192.168.10.1)
<----->(192.168.10.2)Client1
<----->(192.168.10.3)Client2
<----->(192.168.10.4)Client3
Both the client and server is behind nat.
I can connect to the vpn and ping/ssh to my firewall/dhcp machine. But when I try to ping/ssh Client1-3 I get a timeout. I am fine ping/ssh to client1-3 through my Firewall/dhcp machine.
I think it's somthing wrong with my iptables rules
Code:
# vpn
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
iptables -A OUTPUT -o ppp+ -j ACCEPT
# ---------------------------------------------------------------------------------
# ESP encryption and authentication
# Allow ESP Traffic from/to Gateway
iptables -A INPUT -i $WAN_MIC -p esp -j ACCEPT
iptables -A OUTPUT -o $WAN_MIC -p esp -j ACCEPT
# Tag Incoming IPSec Traffic. 'mark' sticks after processing.
iptables -t mangle -A PREROUTING -i $WAN_MIC -p esp -j MARK --set-mark 1
# Forward Authenticated Traffic to LAN.
iptables -A FORWARD -i $WAN_MIC -m mark --mark 1 -d $PERSONAL_LAN_IP_NET -j ACCEPT
# SRC nat everything apart from esp traffic.
iptables -t nat -A POSTROUTING -o $WAN_MIC -p ! esp -j SNAT --to-source $WAN_IP
Thx in advance