<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hey Peter,<br>
<br>
Thanks for the answer.<br>
I wonder if we have a 192.168.x.x network behind 10.10.10.x and I set
up another connection that has leftsubnet=192.168.0.0/16 <br>
it should let the client through to 192.168.0.0?<br>
<br>
Thanks!<br>
<br>
Igor Widlinski<br>
<br>
Peter McGill wrote:
<blockquote cite="mid:003001c91f53$195a1350$350115ac@peter" type="cite">
<pre wrap="">Igor,
You cannot "route" traffic through IPSec tunnels.
Only traffic in the tunnel subnets can use the tunnel.
So to "route" anything/everything through the tunnel,
you logically need to specify leftsubnet=0.0.0.0/0
Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
</pre>
<blockquote type="cite">
<pre wrap="">-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</a>
[<a class="moz-txt-link-freetext" href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</a>] On Behalf Of Igor Widlinski
Sent: September 25, 2008 4:31 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:users@openswan.org">users@openswan.org</a>
Subject: [Openswan Users] Destination Host Unreachable.
Hey guys,
I am having issues with routing. Basically I'm receiving
Destination Host
Unreachable from the client when I try to ping networks that are not
specified in leftsubnet ie. external internet (google.ca
etc). Basic setup
of the network is as follows:
10.10.10.0/24===10.1.1.2...10.1.1.3;
Logical Setup:
Internet..InternalNet...Nat...OpenSwanServer...Client
Ips:
Client 10.1.1.3
SwanServer: 10.1.1.2
Nat -> 10.1.1.2 to 10.10.10.120
InternalNet 10.10.10.0/24
Internet ??
Basically I can Ping all hosts on 10.10.10.x from the client.
So this is
fine. I'd like to be able for the client to be able to access internet
through OpenSwan server, or any other networks that are
connected to our
internal network.
.conf file:
conn net1
leftsubnet=10.10.10.0/24
also=base
conn base
authby=secret
ike=3des-md5
esp=3des-md5
pfs=yes
left=10.1.1.2
right=10.1.1.3
auto=add
iptables -L
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
RULE_0 all -- anywhere anywhere state NEW
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
RULE_0 all -- anywhere anywhere state NEW
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
RULE_0 all -- anywhere anywhere state NEW
Chain RULE_0 (3 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `RULE 0 -- ACCEPT '
ACCEPT all -- anywhere anywhere
When pinging google.com from client I receive:
>From xxx (10.1.1.3) icmp_seq=xxx Destination Host Unreachable
I know I am missing something in the configuration, but I have no idea
what it could be. Any help would be appreciated.
Thanks!
Igor Widlinski
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-294632">http://www.amazon.com/gp/product/1904811256/104-3099591-294632</a>
7?n=283155
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Igor Widlinski
Systems Administrator
Eigen Development Ltd.
#300 - 1807 West 10th Avenue
Vancouver BC, V6J 2A9
t. 604.736.1066
f. 604.736.5669
e. <a class="moz-txt-link-abbreviated" href="mailto:igor.widlinski@eigendev.com">igor.widlinski@eigendev.com</a>
*************************************************
ATTENTION
The information in this e-mail and in any attachments is confidential and intended solely for the attention and use of the named addressee(s). It must not be disclosed to any person without our authority. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorized to and must not disclose, copy, distribute, or retain this message or any part of it.
*************************************************
</pre>
</body>
</html>