Well cause the subnets were improper, the machine that was the host sent the packet to the open swan, which is its gateway, but the openswan sent it to its gateway of 92.2. When i fixed the subnet, it then went through the tunnel. But the traffic on the openswan itself no longer goes through the tunnel, which is the way its supposed to be<br>
<br>Ryan<br><br><div class="gmail_quote">On Fri, Jul 9, 2010 at 4:59 PM, Willie Gillespie <span dir="ltr"><<a href="mailto:wgillespie%2Bopenswan@es2eng.com">wgillespie+openswan@es2eng.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
So what was happening is that the local subnet is sending packets directly to the gateway address of 192.168.92.2 -- they had no reason to go to your Openswan server at 192.168.92.128 -- so they aren't going to be encapsulated.<br>
<br>
Ryan McLeod wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
The gateway of the subnet is 192.168.92.2 which is a built in virtual nic for vmware. x.x.x.128 is the openswan itself. and the left subnet is now <a href="http://11.11.11.0/24" target="_blank">11.11.11.0/24</a> <<a href="http://11.11.11.0/24" target="_blank">http://11.11.11.0/24</a>>.<div class="im">
<br>
<br>
On Fri, Jul 9, 2010 at 3:35 PM, Willie Gillespie <<a href="mailto:wgillespie%2Bopenswan@es2eng.com" target="_blank">wgillespie+openswan@es2eng.com</a> <mailto:<a href="mailto:wgillespie%252Bopenswan@es2eng.com" target="_blank">wgillespie%2Bopenswan@es2eng.com</a>>> wrote:<br>
<br>
I believe if he is behind a NAT on the left and we are looking at<br>
the config file for the left, then this _may_ be a proper way to<br>
have it set up -- depending on his network setup.<br>
<br>
Ryan, the question I have for you regards this:<br>
<br>
<br>
>> The connection establishes just fine. On the openswan server, if i<br>
>> ping 192.168.1.5, a host on the remote network, the traffic goes<br>
>> through the tunnel encrypted. if i ping that host from the local<br>
>> subnet, it goes over the wire unencrypted. Looking at the route<br>
table<br>
>> on the openswan box, there is no entry for the remote network:<br>
<br>
Does "the local subnet" have it's gateway set to 192.168.92.128, or<br>
192.168.92.2?<br>
<br>
Willie<br>
<br>
Nick Howitt wrote:<br>
<br>
Odd. Your left WAN IP appears to be on the same subnet as the<br>
left LAN. I don't see that working. Are you sure of your set up?<br>
<br>
On 09/07/2010 19:24, Ryan McLeod wrote:<br>
<br>
connection config looks like:<br>
<br>
/conn tunnelipsec<br>
type=tunnel<br>
authby=secret<br>
left=192.168.92.128<br>
leftnexthop=192.168.92.2<br></div>
leftsubnet=<a href="http://192.168.92.0/24" target="_blank">192.168.92.0/24</a> <<a href="http://192.168.92.0/24" target="_blank">http://192.168.92.0/24</a>><div class="im"><br>
right=200.200.200.1<br>
rightnexthop=200.200.200.2<br></div>
rightsubnet=<a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" target="_blank">http://192.168.1.0/24</a>><div><div></div><div class="h5"><br>
esp=3des-md5<br>
keyexchange=ike<br>
pfs=no<br>
auto=star/t<br>
<br>
<br>
The connection establishes just fine. On the openswan<br>
server, if i ping 192.168.1.5, a host on the remote network,<br>
the traffic goes through the tunnel encrypted. if i ping<br>
that host from the local subnet, it goes over the wire<br>
unencrypted. Looking at the route table on the openswan box,<br>
there is no entry for the remote network:<br>
<br>
Destination Gateway Genmask 192.168.92.0 * 255.255.255.0<br>
link-local * 255.255.0.0<br>
default 192.168.92.2 0.0.0.0<br>
<br>
I initialize the tunnel with: ipsec auto --up tunnelipsec<br>
<br>
I have added to iptables:<br>
<br>
$IPTABLES -A INPUT -p udp --dport 500 -j ACCEPT<br>
<br>
$IPTABLES -A OUTPUT -p udp --dport 500 -j ACCEPT<br>
$IPTABLES -A INPUT -p udp --dport 4500 -j ACCEPT<br>
$IPTABLES -A OUTPUT -p udp --dport 4500 -j ACCEPT<br>
<br>
<br>
$IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK<br>
--set-mark 1<br>
$IPTABLES -A FORWARD -i eth1 -m mark --mark 1 -d<br>
<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>><br>
<<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> -j ACCEPT<br>
<br>
<br>
<br>
Any help is appreciated,<br>
<br>
Thanks.<br>
<br>
<br>
_______________________________________________<br></div></div>
<a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a> <mailto:<a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a>><div class="im"><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Building and Integrating Virtual Private Networks with<br>
Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
<br>
_______________________________________________<br></div>
<a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a> <mailto:<a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a>><div class="im"><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br>
<br>
</div></blockquote>
</blockquote></div><br>