ok thanks but if i dont want my gateway to talk to remote private. Instead I just want to access remote private from my-private; will I be required to make changes even in that case?<br><br>rgds,<br>Hammad<br><br><div class="gmail_quote">
On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill <<a href="mailto:petermcgill@goco.net">petermcgill@goco.net</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">You cannot use route add or ip route add with openswan,
you</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">must specify the traffic which uses the tunnel in
left/rightsubnet(s).</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">To clarify where are you pinging/telneting
from?</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">A ping from <a href="http://10.5.125.105" target="_blank">10.5.125.105</a> to <a href="http://10.8.13.113" target="_blank">10.8.13.113</a> and vise-versa
should work.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">A ping from <a href="http://10.5.125.100" target="_blank">10.5.125.100</a> or <a href="http://58.58.58.58" target="_blank">58.58.58.58</a> will not work
because you</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">have not included them in leftsubnet.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Likewise a ping from <a href="http://202.202.202.202" target="_blank">202.202.202.202</a> or ?.?.?.? to
10.5.. will not work.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Pings to 58... and 202... will work but not encrypted,
plain internet.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">If you want your gateway to be able to communicate with
remote private</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">also, then change your conn as follows:</font></span></div>
<div dir="ltr" align="left"><span> <font color="#0000ff" face="Arial" size="2">leftsourceip=<a href="http://10.5.125.100" target="_blank">10.5.125.100</a> # gw will use this
instead of 58... to talk to rem. priv.</font></span></div>
<div dir="ltr" align="left"><span> <font color="#0000ff" face="Arial" size="2">leftsubnet=<a href="http://10.5.125.96/28" target="_blank">10.5.125.96/28</a> # you'll need to
change subnet on cisco too</font></span></div>
<div> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div> </div><br>
<blockquote style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 5px; margin-right: 0px;">
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><b>From:</b> Khan, Hammad Aslam
[mailto:<a href="mailto:raohammad@gmail.com" target="_blank">raohammad@gmail.com</a>] <br><b>Sent:</b> March 12, 2008 2:11
AM<br><b>To:</b> <a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a><br><b>Cc:</b>
<a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> Re: [Openswan Users] Packets not passing
through Tunnel<br></font><br></div><div><div></div><div class="Wj3C7c">
<div></div>
<div>I already have enabled ip forwarding; </div>
<div>My Setup is like;<br><br><span style="color: rgb(102, 0, 204);"><span style="color: rgb(255, 102, 0);">my
private
my gateway
<<pub</span>lic>> remote gw (cisco
vpn
3000)
remote private</span><br style="color: rgb(102, 0, 204);"><span style="color: rgb(102, 0, 204);"><span style="color: rgb(255, 102, 0);">--------
-----------------------------------------</span>
-------------------------------
----------------------</span><br style="color: rgb(102, 0, 204);"><span style="color: rgb(102, 0, 204);"><span style="color: rgb(255, 102, 0);">
|
|
| </span>
|
|
|
|</span><br style="color: rgb(102, 0, 204);"><span style="color: rgb(255, 102, 0);"> <a href="http://10.5.125.105" target="_blank">10.5.125.105</a> === 10.5.125.100(eth1)
(eth0)58.58.58.58 >></span><b style="color: rgb(102, 0, 204);"><span style="color: rgb(255, 102, 0);">></span><</b><span style="color: rgb(102, 0, 204);"><< <a href="http://202.202.202.202" target="_blank">202.202.202.202</a>
?.?.?.? ==== <a href="http://10.8.13.113" target="_blank">10.8.13.113</a>
|</span><br style="color: rgb(102, 0, 204);"><span style="color: rgb(102, 0, 204);"> <span style="color: rgb(255, 102, 0);">
|
|
| </span>
|
|
|
| </span><br style="color: rgb(102, 0, 204);"><span style="color: rgb(102, 0, 204);"><span style="color: rgb(255, 102, 0);">-------
----------------------------------------- </span>
------------------------------
----------------------</span><br style="color: rgb(102, 0, 204);"><br><br><b>My
Config file</b><br>config setup<br>
interfaces="ipsec0=eth0"<br>
plutodebug="all"<br>
nat_traversal=yes<br><br>conn
nattelenor<br>
type=tunnel<br>
authby=secret
# secret key<br>
auth=esp<br>
pfs=no<br>
keylife=28800<br>
keyingtries=3<br>
auto=add<br>
ike=3des-md5-modp1024<br>
esp=3des-md5<br> left=<a href="http://58.58.58.58" target="_blank">58.58.58.58</a>
# my
external, internet-routable ip address, provided by NAT
box=<br> leftsubnet=<a href="http://10.5.125.105/32" target="_blank">10.5.125.105/32</a><br>
right=<a href="http://202.202.202.202" target="_blank">202.202.202.202</a>
# my
peer's external, internet-routable ip
address=<br> rightsubnet=<a href="http://10.8.13.113/32" target="_blank">10.8.13.113/32</a><br>
<br>#Disable Opportunistic Encryption<br>include
/etc/ipsec.d/examples/no_oe.conf<br><br><b>My ipsec verify
result</b><br><br>Checking your system to see if IPsec got installed and
started correctly:<br>Version check and ipsec
on-path
[OK]<br>Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)<br>Checking for
IPsec support in
kernel
[OK]<br>NETKEY detected, testing for disabled ICMP
send_redirects [FAILED]<br><br>
Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br> or NETKEY
will cause the sending of bogus ICMP redirects!<br><br>NETKEY detected,
testing for disabled ICMP accept_redirects
[FAILED]<br><br> Please disable
/proc/sys/net/ipv4/conf/*/accept_redirects<br> or NETKEY will accept
bogus ICMP redirects!<br><br>Checking for RSA private key
(/etc/ipsec.secrets)
[OK]<br>Checking that pluto is
running
[OK]<br>Two or more interfaces found, checking IP
forwarding
[OK]<br>Checking NAT and
MASQUERADEing
[OK]<br>Checking for 'ip'
command
[OK]<br>Checking for 'iptables'
command
[OK]<br>Opportunistic Encryption
Support
[DISABLED]<br><br><br>Regards,<br>Hammad<br><br><br></div>
<div class="gmail_quote">On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <<a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Did you
add leftsourceip=leftlanip and rightsourceip=rightlanip?</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Without
them you can only ping hosts other than the ipsec
gateway,</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">on the
remote lan, and only from hosts on the local lan not the
local</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">ipsec
gateway.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Show us
your ipsec.conf and ipsec verify.</font></span></div>
<div> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div> </div><br>
<blockquote style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 5px; margin-right: 0px;">
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><b>From:</b> <a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a> [mailto:<a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a>] <b>On Behalf Of </b>Khan,
Hammad Aslam<br><b>Sent:</b> March 11, 2008 1:45 PM<br><b>To:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> [Openswan Users]
Packets not passing through Tunnel<br></font><br></div>
<div>
<div></div>
<div>
<div></div>Hello everyone,<br>My tunnel has been successfully established
(both ISAKMP and IPSEC are UP);<br>but when I try to ping/telnet remote
end's private network PC i dont get any response.,<br><br>Using <b>tcpdump
-i eth0 </b>(which is my public interface of GW) it shows that GW is
querying internet for remote-private-nw using ARP. No ESP packets are
seen...<br><br>I added a route of <br># route add
<remote-private-ip> gw <remote-public-ip><br>...but still, i
see the same result?<br><br>Please
help.<br><br>Regards,<br>Hammad<br></div></div></blockquote></div></blockquote></div><br></div></div></blockquote></div>
</blockquote></div><br>