in looking over my ipsec.conf i forgot that i already had changed it as i have multiple subs on the right side. so, it actually looks like this:<br><br>conn first-subnet<br> rightsubnet=<a href="http://192.168.10.0/24">192.168.10.0/24</a><br>
also=LANWC-TO-LANEC<br><br>conn second-subnet<br> rightsubnet=<a href="http://192.168.200.0/24">192.168.200.0/24</a><br> also=LANWC-TO-LANEC<br><br>conn LANWC-TO-LANEC<br> authby=secret<br> left=69.105.2.X<br> leftsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br>
leftnexthop=%defaultroute<br> right=173.12.38.X<br> rightnexthop=%defaultroute<br> auto=start<br><br>this being the case wouldn't my last connection enty cover the left LAN to public IP of right hand side? and yes, the 69.X.X.X is the pub IP of the lefthand openswan box and the 173.X.X.X is the pub of the right hand openswan box.<br>
<br>thx-<br><br><div class="gmail_quote">On Mon, Jan 10, 2011 at 8:10 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Mon, 10 Jan 2011, M B wrote:<br>
<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
ok.. so, if the public IP address is not part of the tunnel why are the openswan boxes sending packets to the pub IPs across the tunnel? <br>
</blockquote>
<br></div>
It is part of the tunnel, but not in a regular way.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
here's my connection for the subnet-subnet tunnel:<br>
<br>
conn LANWC-TO-LANEC<br>
authby=secret<br>
left=69.105.X.X<br>
leftsubnet=<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a><br>
leftnexthop=%defaultroute<br>
right=173.12.X.X<br>
rightsubnet=<a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a><br>
rightnexthop=%defaultroute<br>
auto=start<br>
</blockquote>
<br></div>
if your openswan box does not have either 69.105.X.X or 173.12.X.X configured on the box<br>
itself, this will not work. You need to define your end by its local ip.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
what would i need to add to setup the subnet-public IP connection? something like:<br>
<br>
conn LANWC-TO-ECPUB<br>
authby=secret<br>
left=69.105.X.X<br>
leftsubnet=<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a><br>
leftnexthop=%defaultroute<br>
right=172.12.X.X<br>
rightsubnet=172.12.X.X/29<br>
</blockquote>
<br></div>
If you need the /29 then yes. If you just need the one IP, and it is the same as right<br>
itself, you can just leave out rightsubnet=<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>