[Openswan Users] Gateway-To-Gateway ping

Vik Heyndrickx vik.heyndrickx at edchq.com
Wed Nov 3 09:19:52 CET 2004


> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]On
> Behalf Of Sebastian Haas
> Sent: dinsdag 2 november 2004 12:12
> To: users at openswan.org
> Subject: [Openswan Users] Gateway-To-Gateway ping
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello List,
> 
> we have VPN tunneln between 2 networks:
> 
> 192.168.0.0/24===LEFT...RIGHT===192.168.1.0/24
> 
> Internal addresses:
> LEFT  = 192.168.0.1
> RIGHT = 192.168.1.1
> 
> If i'm on LEFT and try to ping RIGHT via:
> ping 192.168.1.1 i doesn't work i also tried
> ping -I eth1 192.168.1.1 (eth1 is the interface for the 
> internal network)
> 
> ~From RIGHT to LEFT it's the same. But if i'm on a computer within the
> network i can reach both LEFT and RIGHT. But not from the 
> gateway itself.
> 
> What's wrong?

This is a FAQ entry.
The reason why you cannot reach the right network is because the packet has a left source address not belonging to the left hand side tunneled network. So the ping packet itself is not tunneled. If left has no other route to the right network, your pings will time out. Otherwise if a route to right network exists, the packet will be sent and answered unencrypted.

Check leftsourceip= and righsourceip= options for each conn in ipsec.conf to have a solution. Another solution is not to try ping from the left gateway to the opposite side network ;-)

-- 
Vik


More information about the Users mailing list