just set leftsourceip and rightsourceip to your VPN gateways' internal address may help<br><div class="gmail_quote">2009/4/21 tang huu trong <span dir="ltr"><<a href="mailto:huutrong@gmail.com">huutrong@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>Dear all.</div>
<div> </div>
<div>my network structure below:</div>
<div> </div>
<div>private2 ---- vpn2 ----------internet---------- vpn1 --------- private1</div>
<div> </div>
<div>private 2 : 172.16.2.0 /24</div>
<div>private 1: 172.16.1.0 / 24</div>
<div>
<div>vpn2 server: private interface: 172.16.2.1 ; public interface: 210.245.125.41</div></div>
<div>vpn1 server: private interface: 172.16.1.1 ; public interface: 210.245.125.181</div>
<div> </div>
<div> </div>
<div>after i run :</div>
<div>ipsec auto --up net-to-net<br>117 "net-to-net" #3: STATE_QUICK_I1: initiate<br>004 "net-to-net" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x98e7bb68 <0xd0adaf54 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}</div>
<div> </div>
<div>i think the IPsec SA established and success.</div>
<div> </div>
<div>BUT: i can't ping to private network behind vpn server from both site (iptables stopped and there 2 vpn servers didn't under firewall).</div>
<div> </div>
<div>then i check routing by "netstat -nr" on vpnserver2, result:</div>
<div>netstat -nr<br>Kernel IP routing table<br>Destination Gateway Genmask Flags MSS Window irtt Iface<br>210.245.125.0 0.0.0.0 255.255.255.192 U 0 0 0 eth0<br>172.16.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1<br>
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1<br>0.0.0.0 210.245.125.1 0.0.0.0 UG 0 0 0 eth0</div>
<div> </div>
<div> </div>
<div>it didn't have route line to another private site, it should be have 1 more line:</div>
<div>172.16.1.0 210.245.125.181 255.255.255.0 UG 0 0 0 eth0</div>
<div> </div>
<div>and check routing by "netstat -nr" on vpnserver1, it didn't have route line to network private2, too.</div>
<div> </div>
<div>what did i wrong?</div>
<div> </div>
<div>i try add route by manual on vpn2, but system inform : network is unreachable.</div>
<div>route add -net 172.16.1.0 netmask 255.255.255.0 gw 210.245.125.181<br>SIOCADDRT: Network is unreachable</div>
<div> </div>
<div>but i can ping 210.245.125.181 from vpnserver2.</div>
<div> </div>
<div>and this is my config file:</div>
<div>conn net-to-net<br> left=210.245.125.41<br> leftsubnet=<a href="http://172.16.2.0/24" target="_blank">172.16.2.0/24</a><br> <a href="mailto:leftid=@210.245.125.41" target="_blank">leftid=@210.245.125.41</a><br> leftrsasigkey=.................<br>
leftnexthop=210.245.125.181</div>
<div> right=210.245.125.181<br> rightsubnet=<a href="http://172.16.1.0/24" target="_blank">172.16.1.0/24</a><br> <a href="mailto:rightid=@210.245.125.181" target="_blank">rightid=@210.245.125.181</a><br> rightrsasigkey=...........</div>
<div> rightnexthop=210.245.125.41</div>
<div> auto=start</div>
<div> </div>
<div>i set leftnexthop and rightnexthop in config file. but why didn't have route line after start tunnel? what did i wrong?</div>
<div>please help me. thanks you very much.</div>
<div> </div>
<br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br>