[Openswan Users] "Simple" ? Vpn setup

Nicolas Ross rossnick-lists at cybercat.ca
Tue Nov 23 10:28:36 CET 2004 

> Because the packets need to hit the IPsec machinery. This is currently
> done by
> making them go into the ipsecX interfaces. Openswan needs to process all
> packets
> with a certain source address (your left/rightsubnet). This method
> predates much
> of the advanced routing (iproute) features, so since only destination
> based
> routing was available at the time, the trick that has been used and is
> still in
> use is to split the default route 0.0.0.0/0 in two (0.0.0.0/1 and
> 128.0.0.0/0, which
> both are the entire default route) and route them into a ipsecX device.
> Since these
> half routes are more specific then the default route, the kernel's routing
> mechanism will send all packets into ipsecX. this then triggers the
> Openswan kernel
> code to process these packets. Packets meant for an IPsec tunnel are
> encrypted, and
> packets which are not part of a tunnel are released back into the normal
> routing
> schema and send to the real default gateway.
>
> We are looking at how we can use source based routing using 'ip rules' to
> change
> this behaviour and remove the confusing half default routes.
>
> In short, those routes are normal when using subnets.

Ok, I got all this sorted out...

Yesterday, I got the 2 gateways connect to each other, and I was able to
send ping from subnet behind my left gw to the IP of the subnet of the right
subnet...

Now, late yesterday, the remote gw has been rebooted to add another NIC, the
tunnel stills go up, but I cannot ping either way. I cannot see what have
changed since yesterday that prevents the ping to go trough...

With tcpdump, I can see that a packet arrives at the remote GW, from my
local GW, but the packet does'nt go out to the rightsubnet...

Here's my setup again :

192.168.10.0/24 - 192.168.10.1 a.b.c.d  -- a.b.c.e {internet} --+
                                                                |
 10.0.1.0/24  ---  10.0.1.1 f.g.h.i  ----  f.g.h.j {internet} --+

My ipsec.conf :

conn testvpnos
        left=a.b.c.d
        leftsubnet=192.168.10.0/24
        leftnexthop=a.b.c.e
        leftid=@testipsec.xx.xx
        leftrsasigkey=0s...
        right=f.g.h.i
        rightsubnet=10.0.1.0/24
        rightnexthop=f.g.h.j
        rightid=@router2.xx.xx
        rightrsasigkey=0s...
        auto=add

include /etc/ipsec.d/examples/no_oe.conf

The tunnel goes up smootly, but nothing pings either way...

Can you tel me what's wrong ?

Thanks for any hints !

Nicolas

More information about the Users mailing list