<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Thanks one more time Alonso!<br><br>Unfortunately, i think that didn't
help. Following my configuration (leftsubnet 192.168.51.10/32,
rightsubnet 192.168.1.101/32), i add this route.<br><br><i>ip route add 192.168.1.101/32 dev eth0 proto static src 192.168.51.10</i><br><br>But
I continue not having ping from the ubuntu client (the one with the
virtual nic) to vpn server in this mode (gateway to gateway), don't know
why; as I say, in the "client to gateway" I have ping from client to
vpn server without adding any route. <br><br>By the way I left out the
remote ID, don't have it in my configuration, maybe I have to add one?
Don't understand very well it's purpose.<br><br>I suppose I'm making a stupid mistake but don't find exactly which is.<br><br>Thanks a lot for your help mate!<br><br><br><div><hr id="stopSpelling">From: alonso.manilla@gmail.com<br>Date: Mon, 10 Jun 2013 12:47:56 -0500<br>Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?<br>To: soloninguno@hotmail.com<br>CC: users@lists.openswan.org<br><br><div dir="ltr">This is my ipsec.conf<div><br></div><div>Left it's me and right is the other vpn point.</div><div><br></div><div>As you say 128 is Remote and 172 is the local network.</div><div>
<br></div><div>128.100.100.1 is the remote ID</div><div><br></div><div><div>config setup</div><div><span style="white-space:pre-wrap;"> </span>plutoopts="--perpeerlog"<br></div><div><span style="white-space:pre-wrap;"> </span>nat_traversal=yes</div>
<div><span style="white-space:pre-wrap;"> </span>virtual_private=%v4:<a href="http://128.9.0.0/16%2c%v4:172.22.11.10/32" target="_blank">128.9.0.0/16,%v4:172.22.11.10/32</a></div><div><span style="white-space:pre-wrap;"> </span>oe=off</div>
<div><span style="white-space:pre-wrap;"> </span>protostack=netkey </div><div><span style="white-space:pre-wrap;"> </span>interfaces=%defaultroute</div><div>conn bc<br></div><div><span style="white-space:pre-wrap;"> </span>type=tunnel<br>
</div><div><span style="white-space:pre-wrap;"> </span>left=85.25.111.144</div><div><span style="white-space:pre-wrap;"> </span>leftsubnet=<a href="http://172.22.11.10/32" target="_blank">172.22.11.10/32</a></div><div><span style="white-space:pre-wrap;"> </span>leftnexthop=%defaultroute</div>
<div><span style="white-space:pre-wrap;"> </span>leftsourceip=172.22.11.10</div><div><span style="white-space:pre-wrap;"> </span>right=200.96.218.135</div><div><span style="white-space:pre-wrap;"> </span>rightid=128.100.100.1<span style="white-space:pre-wrap;"> </span></div>
<div><span style="white-space:pre-wrap;"> </span>rightsubnet=<a href="http://128.9.0.0/16" target="_blank">128.9.0.0/16</a></div><div><span style="white-space:pre-wrap;"> </span>rightnexthop=%defaultroute</div><div><span style="white-space:pre-wrap;"> </span>pfs=yes</div>
<div><span style="white-space:pre-wrap;"> </span>auto=start</div><div><span style="white-space:pre-wrap;"> </span>ike=3des-md5;modp1024</div><div><span style="white-space:pre-wrap;"> </span>keylife=60m<span style="white-space:pre-wrap;"> </span></div>
<div><span style="white-space:pre-wrap;"> </span>authby=secret</div><div><span style="white-space:pre-wrap;"> </span>ikelifetime=1440m</div><div><span style="white-space:pre-wrap;"> </span>esp=3des-md5</div><div>
<span style="white-space:pre-wrap;"> </span>compress=no</div><div><span style="white-space:pre-wrap;"> </span>forceencaps= yes</div></div><div><br></div><div>About your last question, I think your problem its with route and the packages don't know where to go.</div>
<div><br></div></div><div class="ecxgmail_extra"><br clear="all"><div>--<div>Alonso Manilla</div></div>
<br><br><div class="ecxgmail_quote">2013/6/10 Jose M <span dir="ltr"><<a href="mailto:soloninguno@hotmail.com" target="_blank">soloninguno@hotmail.com</a>></span><br><blockquote class="ecxgmail_quote" style="border-left:1px #ccc solid;padding-left:1ex;">
<div><div dir="ltr">
<div dir="ltr">Thanks Alonso for your help!<br><br>I'm not a pro with network things, so is not very clear to me what ips do I have to put in the ip router command you post<div class="ecxim"><br><br><span style="font-family:arial,sans-serif;font-size:13px;"> ip </span><span style="font-family:arial,sans-serif;font-size:13px;">route</span><span style="font-family:arial,sans-serif;font-size:13px;"> add </span><a href="http://128.9.0.0/16" style="font-family:arial,sans-serif;font-size:13px;" target="_blank">128.9.0.0/16</a><span style="font-family:arial,sans-serif;font-size:13px;"> via 128.100.100.1 dev eth0 proto static src </span><a href="http://172.22.11.10/32" style="font-family:arial,sans-serif;font-size:13px;" target="_blank">172.22.11.10/32</a><br>
<br></div><a href="http://128.9.0.0/16" target="_blank">128.9.0.0/16</a> is the "remote network"?<br>128.100.100.1 is the local gateway?<br><span style="font-family:arial,sans-serif;font-size:13px;"></span><a href="http://172.22.11.10/32" style="font-family:arial,sans-serif;font-size:13px;" target="_blank">172.22.11.10/32</a> is the "local network"?<br>
<br><br>Just in case, here is the configuration I have after creating the virtual nic with<div class="ecxim"><br><br>sudo ifconfig eth0:1 <a href="http://192.168.51.10/32" target="_blank">192.168.51.10/32</a> netmask 255.255.255.0
<br><br></div><i><u>ipsec.conf</u></i><br><pre><div class="ecxim">conn %default
authby=secret
type=tunnel
left=78.222.51.10
leftsubnet=<a href="http://192.168.51.10/32" target="_blank">192.168.51.10/32</a><br><br></div><div class="ecxim">conn linux-rv042
auto=add
right=81.18.24.120
rightsubnet=<a href="http://192.168.1.101/32" target="_blank">192.168.1.101/32</a>
authby=secret</div></pre>And here the picture of my RV042 configuration with "gateway to gateway" mode<br><a href="http://tinypic.com/view.php?pic=20aoqx1&s=5" target="_blank">http://tinypic.com/view.php?pic=20aoqx1&s=5</a><br>
<br>By the way, why if i configure the "client to gateway" I can ping from the client to the vpn, and with "gateway to gateway" that doesn't work. Is because now the client has two nics and doesn't know where to go?<br>
<br>Kind regards<br><br><div><hr>From: <a href="mailto:alonso.manilla@gmail.com" target="_blank">alonso.manilla@gmail.com</a><br>Date: Mon, 10 Jun 2013 09:09:16 -0500<div><div class="h5"><br>Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?<br>
To: <a href="mailto:soloninguno@hotmail.com" target="_blank">soloninguno@hotmail.com</a><br>CC: <a href="mailto:users@lists.openswan.org" target="_blank">users@lists.openswan.org</a><br><br><div dir="ltr"><div>You're closer!</div>
<div><br></div><div>This maybe help you<br></div><div><br></div><div>I used this for route:</div><div><br></div><div><span style="font-family:arial,sans-serif;font-size:13px;"> ip </span><span style="font-family:arial,sans-serif;font-size:13px;">route</span><span style="font-family:arial,sans-serif;font-size:13px;"> add </span><a href="http://128.9.0.0/16" style="font-family:arial,sans-serif;font-size:13px;" target="_blank">128.9.0.0/16</a><span style="font-family:arial,sans-serif;font-size:13px;"> via 128.100.100.1 dev eth0 proto static src </span><a href="http://172.22.11.10/32" style="font-family:arial,sans-serif;font-size:13px;" target="_blank">172.22.11.10/32</a><br>
</div><div><br></div><div>This is my iptables-save result:</div><div><br></div><div><div>*nat</div><div>:PREROUTING ACCEPT [7890242:571675663]</div><div>:INPUT ACCEPT [7207255:467688388]</div><div>
:OUTPUT ACCEPT [1540066:101645951]</div><div>:POSTROUTING ACCEPT [1540060:101645591]</div><div>-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</div><div>-A POSTROUTING -s <a href="http://200.96.218.135/32" target="_blank">200.96.218.135/32</a> -d <a href="http://172.22.11.10/32" target="_blank">172.22.11.10/32</a> -o eth0 -j MASQUERADE</div>
<div>-A POSTROUTING -s <a href="http://128.9.0.0/16" target="_blank">128.9.0.0/16</a> -d <a href="http://172.22.11.10/32" target="_blank">172.22.11.10/32</a> -o eth0 -j MASQUERADE</div><div><br></div><div>check this link:</div>
<div><br></div>
<div>I had problem with packages and here help me to solve</div><div><br></div><div><a href="https://lists.openswan.org/pipermail/users/2013-May/022381.html" target="_blank">https://lists.openswan.org/pipermail/users/2013-May/022381.html</a><br>
</div><div><br></div><div>Regards!</div><div><br></div></div></div><div><br clear="all"><div>--<div>Alonso Manilla</div></div>
<br><br><div>2013/6/8 Jose M <span dir="ltr"><<a href="mailto:soloninguno@hotmail.com" target="_blank">soloninguno@hotmail.com</a>></span><br><blockquote style="border-left:1px #ccc solid;padding-left:1ex;">
<div><div dir="ltr">Thanks Alonso!<br><br>Could you give me some hints how to create routes and iptables to get this working?<br><br><div><hr>From: <a href="mailto:alonso.manilla@gmail.com" target="_blank">alonso.manilla@gmail.com</a><br>
Date: Fri, 7 Jun 2013 17:07:34 -0500<div><br>Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?<br></div>To: <a href="mailto:soloninguno@hotmail.com" target="_blank">soloninguno@hotmail.com</a><br>
CC: <a href="mailto:users@lists.openswan.org" target="_blank">users@lists.openswan.org</a><div><div><br><br><div dir="ltr">It's possible to create virtual nics.<div><br></div><div>Use #: </div><div>ifconfig eth0:1 192.168.1.5 netmask 255.255.255.0</div>
<div><br></div><div>to make it permanent change the /etc/network/interfaces file.</div>
<div><br></div><div>then you need to create a route to send all packets from vpn to the new ip address, also need to check your iptables.</div><div><br></div><div>Good luck.</div><div><br></div>
<div><br clear="all"><div>--<div>Alonso Manilla</div></div>
<br><br><div>2013/6/7 Jose M <span dir="ltr"><<a href="mailto:soloninguno@hotmail.com" target="_blank">soloninguno@hotmail.com</a>></span><br>
<blockquote style="border-left:1px #ccc solid;padding-left:1ex;">
<div><div dir="ltr">I need to create an ipsec vpn between an internal network behind a cisco router and
an ubuntu server in the outside that is directly connected to the web (no
router here).<br><br>Right now I've test openswan to create a client to gateway vpn an works as expected. Unforunately with this configuration I don't have two way traffic, the client sees the internal network, but the network can't see the client.<br>
<br>My knowledge of networks isn't the best, so I need to ask, is it possible to create some kind of virtual nics in ubuntu client server to simulate a gateway and an internal network (with only one machine) in this endpoint, so the machines in the internal network can see this client?<br>
<br>Thanks in advance!<br><br><br> </div></div>
<br>_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br></div></div></div></div></div> </div></div>
</blockquote></div><br></div></div></div></div></div>
</div></div>
</blockquote></div><br></div></div> </div></body>
</html>