ok.. so, if the public IP address is not part of the tunnel why are the openswan boxes sending packets to the pub IPs across the tunnel? <br><br>here's my connection for the subnet-subnet tunnel:<br><br>conn LANWC-TO-LANEC<br>
authby=secret<br> left=69.105.X.X<br> leftsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br> leftnexthop=%defaultroute<br> right=173.12.X.X<br> rightsubnet=<a href="http://192.168.10.0/24">192.168.10.0/24</a><br>
rightnexthop=%defaultroute<br> auto=start<br><br>what would i need to add to setup the subnet-public IP connection? something like:<br><br>conn LANWC-TO-ECPUB<br> authby=secret<br> left=69.105.X.X<br> leftsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br>
leftnexthop=%defaultroute<br> right=172.12.X.X<br> rightsubnet=172.12.X.X/29<br> rightnexthop=%defaultroute<br> auto=start<br><br>thanks!<br><br>6:02 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br>
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div></div><div class="h5">On Mon, 10 Jan 2011, M B wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
i have the following setup:<br>
<br>
LAN-WC-------------OpenSwan----------INTERNET------------OpenSwan------------LAN-EC<br>
192.168.0.X 192.168.10.X<br>
<br>
currently im unable to ping either of the public ip addresses on the openswan VPN boxes (both have public IPs) from the<br>
remote LAN. looks like this is due to the openswan box<br>
also being the default gateway for the respective LAN clients therefore the LAN source IPs are not being NAT'd resulting<br>
in an unroutable source IP address<br>
arriving at the public interface of the other openswan box. how can i fix this on the openswan boxes? can i force<br>
traffic from each local LAN to the public<br>
IP of the other sides openswan system to be NAT'd? thx-<br>
</blockquote>
<br></div></div>
the public ip is not part of the subnet-subnet tunnel that only covers internal IPs.<br>
You will need to add an ipsec tunnel for subnet-publicip for each end.<br>
<br>
If you want the gateways themselves to acces the remote lan with the internal ips,<br>
you can use leftsourceip/rightsourceip set to their internal IP.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>