<div><div>Hello list,</div><div><br></div><div>I have established a net-to-net VPN successfully but I just can't make gate-to-net and gate-to-gate work.</div><div><br></div><div>This is my scenario:</div><div><br></div>
<div><a href="http://192.168.100.0/24" target="_blank">192.168.100.0/24</a> left subnet</div><div><br></div><div>192.168.100.100 left gw private interface</div><div>200.200.200.200 left gw public interface</div><div><br>
</div><div>200.200.200.1 left gw defaultroute</div>
<div> </div><div>INTERNET</div><div><br></div><div>100.100.100.1 right gw defaultroute</div><div><br></div><div>100.100.100.100 right gw public interface</div><div>192.168.10.1 right gw private interface</div><div><br></div>
<div><a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a> right subnet</div><div><br></div><div><br></div><div>OK my /etc/ipsec/ipsec.conf is</div><div><br></div><div>config setup</div><div><span style="white-space:pre"> </span>nat_traversal=yes</div>
<div><span style="white-space:pre"> </span>nhelpers=0</div><div><span style="white-space:pre"> </span>interfaces=%defaultroute</div><div><br></div><div>conn net-to-net</div><div>
right=100.100.100.100</div><div> rightsubnet=<a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a></div><div> rightcert=right.cert</div><div> left=200.200.200.200</div><div> leftsubnet=<a href="http://192.168.100.0/24" target="_blank">192.168.100.0/24</a></div>
<div> leftcert=left.cert</div><div> pfs=yes</div><div> auto=add</div><div><br></div><div>conn lgate-to-rnet</div><div> left=200.200.200.200</div><div> right=100.100.100.100</div><div> leftcert=left.cert</div>
<div>
rightsubnet=<a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a></div><div> rightcert=right.cert</div><div> auto=add</div><div><br></div><div>conn rgate-to-lnet</div><div> left=200.200.200.200</div>
<div> leftsubnet=<a href="http://192.168.100.0/24" target="_blank">192.168.100.0/24</a></div>
<div> right=100.100.100.100</div><div> leftcert=left.cert</div><div> rightcert=right.cert</div><div> auto=add</div><div><br></div><div>conn lgate-to-rgate</div><div> left=200.200.200.200</div><div> right=100.100.100.100</div>
<div> leftcert=left.cert</div><div> rightcert=right.cert</div><div> auto=add</div><div><br></div><div>----------------------</div><div><br></div><div>OK when I start net-to-net, everything is cool.</div><div><br></div>
<div><div># ipsec auto --up net-to-net</div><div>104 "net-to-net" #1: STATE_MAIN_I1: initiate</div><div>003 "net-to-net" #1: received Vendor ID payload [Openswan (this version) 2.4.15 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]</div>
<div>003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection]</div><div>003 "net-to-net" #1: received Vendor ID payload [RFC 3947] method set to=109 </div><div>106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div>
<div>003 "net-to-net" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</div><div>108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}</div>
<div>117 "net-to-net" #2: STATE_QUICK_I1: initiate</div><div>004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x346c70d8 <0x96ddd1d9 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}</div>
<div><br></div><div><br></div><div>And I can ping from left subnet to right subnet.</div><div><br></div><div>Then I try to establish lgate-to-rnet from the left gateway:</div><div><br></div><div><div># ipsec auto --up lgate-to-rnet</div>
<div>117 "lgate-to-rnet" #3: STATE_QUICK_I1: initiate</div><div>004 "lgate-to-rnet" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x96d7436d <0x0662bbe4 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}</div>
<div><br></div><div><br></div><div>It looks good as well. But I just can't ping from left gw to right subnet, in the meantime, the previously established net-to-net VPN is broken,</div><div>as I can't ping from the left subnet to right subnet either.</div>
<div><br></div><div><div><br></div><div>I am not sure what's going wrong.</div><div><br></div><div>My question is:</div><div><br></div><div>1. In my scenario, is it possible to build net-to-net, lgate-to-rnet, rgate-to-lnet and lgate-to-rgate at the same time with one single ipsec.conf?</div>
<div>2. How to correct my problem so I can establish them with no error?</div><div><br></div><div>Pahud</div></div></div></div></div>