<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I've just got home.<br>
<br>
I suggest at this point it is an OpenVPN issue. Splitting the
OpenVPN subnet into two subnets in ipsec.conf serves no purpose. I'd
have to look up the OpenVPN configs to see how they worked. Also
check for firewalling issues. Does the firewall in Oregon only allow
local subnet traffic to OpenVPN?<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 02/07/2014 18:13, Steven Tye wrote:<br>
</div>
<blockquote
cite="mid:SNT406-EAS41917C220AB130105A81D2EB5060@phx.gbl"
type="cite">
<pre wrap="">
Yeah so
192.168.10.1/25
&
192.168.10.129/25
Are the gateways for the OpenVPN networks.
Both are accessible all the way out in Ireland and Sao Paulo.
However the client cannot be pinged from anywhere except on the Oregon
server.
The Client can ping all the way out to Ireland and Sao Paulo though.
Stumped now
-----Original Message-----
From: Steven Tye [<a class="moz-txt-link-freetext" href="mailto:srtye@outlook.com">mailto:srtye@outlook.com</a>]
Sent: Wednesday, July 2, 2014 12:54 PM
To: 'Nick Howitt'
Cc: <a class="moz-txt-link-abbreviated" href="mailto:users@lists.openswan.org">users@lists.openswan.org</a>
Subject: RE: [Openswan Users] Hub and Spoke issue
Just found that I can ping 192.168.10.1 which is the virtual
gateway.......from Ireland.
-----Original Message-----
From: Steven Tye [<a class="moz-txt-link-freetext" href="mailto:srtye@outlook.com">mailto:srtye@outlook.com</a>]
Sent: Wednesday, July 2, 2014 12:40 PM
To: 'Nick Howitt'
Cc: <a class="moz-txt-link-abbreviated" href="mailto:users@lists.openswan.org">users@lists.openswan.org</a>
Subject: RE: [Openswan Users] Hub and Spoke issue
Traceroute
Ireland:~$ traceroute 192.168.10.130
traceroute to 192.168.10.130 (192.168.10.130), 30 hops max, 60 byte packets
1 ip-10-0-0-12.eu-west-1.compute.internal (10.0.0.12) 217.839 ms 217.793
ms 217.731 ms
2 ip-172-31-33-163.eu-west-1.compute.internal (172.31.33.163) 424.701 ms
424.871 ms 424.831 ms
3 * * *
4 * * *
5 * * *
..................
So it's actually making it to Oregon but not the client.
Oregon
Oregon:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
default 172.31.32.1 0.0.0.0 UG 0 0 0 eth0
172.31.32.0 * 255.255.240.0 U 0 0 0 eth0
192.168.10.0 * 255.255.255.128 U 0 0 0
as0t0
192.168.10.128 * 255.255.255.128 U 0 0 0
as0t1
I see the way that OpenVPN is separating the 192.168.10.0/24 network in two.
I wonder if I need to add 192.168.10.0/25 & 192.168.10.128/25 to the
ipsec.conf files?
-----Original Message-----
From: Steven Tye [<a class="moz-txt-link-freetext" href="mailto:srtye@outlook.com">mailto:srtye@outlook.com</a>]
Sent: Wednesday, July 2, 2014 12:32 PM
To: 'Nick Howitt'
Cc: <a class="moz-txt-link-abbreviated" href="mailto:users@lists.openswan.org">users@lists.openswan.org</a>
Subject: RE: [Openswan Users] Hub and Spoke issue
Gotcha...fixed that....
Here is where are now
I can ping from the client all the way to 192.168.69.62 (Ireland) I cannot
ping the client from SaoPaulo or Ireland
conn SauPaulo-to-Oregon
type=tunnel
authby=secret
left=%defaultroute
leftid=54.232.199.31
leftnexthop=%defaultroute
leftsubnets=10.0.0.0/16,192.168.69.0/24
right=54.186.82.78
rightsubnets=172.31.0.0/16,192.168.10.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
conn SauPaulo-to-Ireland
type=tunnel
authby=secret
left=%defaultroute
leftid=54.232.199.31
leftnexthop=%defaultroute
leftsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
right=54.76.160.103
rightsubnets=192.168.69.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
Oregon
conn Oregon-to-SauPaulo
type=tunnel
authby=secret
left=%defaultroute
leftid=54.186.82.78
leftnexthop=%defaultroute
leftsubnets=172.31.0.0/16,192.168.10.0/24
right=54.232.199.31
rightsubnets=10.0.0.0/16,192.168.69.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
Ireland
conn Ireland-to-SaoPaulo
type=tunnel
authby=secret
left=%defaultroute
leftid=54.76.160.103
leftnexthop=%defaultroute
leftsubnet=192.168.69.0/24
right=54.232.199.31
rightsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
-----Original Message-----
From: Nick Howitt [<a class="moz-txt-link-freetext" href="mailto:nick@howitts.co.uk">mailto:nick@howitts.co.uk</a>]
Sent: Wednesday, July 2, 2014 12:30 PM
To: Steven Tye
Cc: <a class="moz-txt-link-abbreviated" href="mailto:users@lists.openswan.org">users@lists.openswan.org</a>
Subject: RE: [Openswan Users] Hub and Spoke issue
SauPaulo-to-Oregon rightsubnets is missing 192.168.10.0/24
On 2014-07-02 17:14, Steven Tye wrote:
</pre>
<blockquote type="cite">
<pre wrap="">OpenVPN has this setting
Routing
Should VPN clients have access to private subnets (non-public
networks on the server side)?
NO No
NO Yes, using NAT
CHECK Yes, using routing (advanced)
Specify the private subnets to which all clients should be given
access (as 'network/netmask_bits', one per line)
172.31.0.0/16
10.0.0.0/16
192.168.69.0/24
192.168.10.0/24
Cleaned up the ipsec.conf as you suggested:
conn SauPaulo-to-Oregon
type=tunnel
authby=secret
left=%defaultroute
leftid=54.232.199.31
leftnexthop=%defaultroute
leftsubnets=10.0.0.0/16,192.168.69.0/24
right=54.186.82.78
rightsubnets=172.31.0.0/16
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
conn SauPaulo-to-Ireland
type=tunnel
authby=secret
left=%defaultroute
leftid=54.232.199.31
leftnexthop=%defaultroute
leftsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
right=54.76.160.103
rightsubnets=192.168.69.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
Now I cannot ping from client to/from hub.
Oregon
conn Oregon-to-SauPaulo
type=tunnel
authby=secret
left=%defaultroute
leftid=54.186.82.78
leftnexthop=%defaultroute
leftsubnets=172.31.0.0/16,192.168.10.0/24
right=54.232.199.31
rightsubnets=10.0.0.0/16,192.168.69.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
Ireland
conn Ireland-to-SaoPaulo
type=tunnel
authby=secret
left=%defaultroute
leftid=54.76.160.103
leftnexthop=%defaultroute
leftsubnet=192.168.69.0/24
right=54.232.199.31
rightsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
-----Original Message-----
From: Nick Howitt [<a class="moz-txt-link-freetext" href="mailto:nick@howitts.co.uk">mailto:nick@howitts.co.uk</a>]
Sent: Wednesday, July 2, 2014 12:03 PM
To: steve
Cc: <a class="moz-txt-link-abbreviated" href="mailto:users@lists.openswan.org">users@lists.openswan.org</a>
Subject: Re: [Openswan Users] Hub and Spoke issue
In OpenVPN are you also pushing a route to 192.168.69.0/24?
Something also looks wrong in your conns. You should have:
conn SauPaulo-to-Oregon
leftsubnets=SauPaulo's_subnets, Ireland's_subnets
rightsubnets=Oregon's_subnets
conn SauPaulo-to-Ireland
leftsubnets=SauPaulo's_subnets, Oregon's_subnets
rightsubnets=Ireland's_subnets
You appear to have 192.168.10.0/24 in both Ireland and Oregon
Nick
On 2014-07-02 16:39, steve wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Nick, awesome. I am almost there.
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">I am able to now ping from spoke to spoke. However, I am trying to
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">ping from my client at 192.168.10.0/24 through to Ireland,
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">192.168.69.0/24 and its fails. Should the 192.168.10.0/24 network be
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">added anywhere else?
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Here is my new Hub IPsec.conf
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Hub
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">conn SauPaulo-to-Oregon
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">type=tunnel
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">authby=secret
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">left=%defaultroute
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">leftid=54.232.199.31
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">leftnexthop=%defaultroute
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">leftsubnets=10.0.0.0/16,192.168.69.0/24
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">right=54.186.82.78
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">rightsubnets=172.31.0.0/16,192.168.10.0/24,192.168.69.0/24
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">ike=aes256-sha
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">esp=aes256-sha1
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">pfs=yes
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">auto=start
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">conn SauPaulo-to-Ireland
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">type=tunnel
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">authby=secret
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">left=%defaultroute
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">leftid=54.232.199.31
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">leftnexthop=%defaultroute
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">leftsubnets=10.0.0.0/16,172.31.0.0/16
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">right=54.76.160.103
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">rightsubnets=172.31.0.0/16,192.168.10.0/24,192.168.69.0/24
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">ike=aes256-sha
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">esp=aes256-sha1
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">pfs=yes
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">auto=start
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">_______________________________________________
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a> [1]
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Micropayments:
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a> [2]
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Building and Integrating Virtual Private Networks with Openswan:
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
</blockquote>
<pre wrap=""><a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831</a>
[3]
</pre>
<blockquote type="cite">
<pre wrap="">55
</pre>
</blockquote>
<pre wrap="">
Links:
------
[1] <a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
[2] <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
[3]
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831</a>
</pre>
</blockquote>
</blockquote>
<br>
</body>
</html>