[Openswan Users] openswan: routing troubles

Jakub Ilski jilski at rajskanet.pl
Mon Sep 13 15:34:46 CEST 2004 

Hello,
 I'm currently setting up VPN connections between fedora 2 and fedora 2 
(kernel 2.6.5-1.858 both). I'm completely novice in this subject, so 
i've questions:
Situation as below:

192.168.0.0/24 subnet <---> VPNGateway1/Gateway(192.168.0.0 local / dhcp 
assigned public addr.) <------> / inet/ <------> router (ip 
xxx.xxx.xxx.xx1 static; our ISP) <-----> our router (ip 192.168.0.60 - 
ISP side/ 192.168.1.254 local side) <---> VPNGateway2 192.168.1.1<---> 
subnet 192.168.1.0/24

Config at VPNGateway1 looks like:

/----------------------------- 
                                                                                                                                                                                  

# basic configuration
config setup
        interfaces=%defaultroute
        klipsdebug=all
        plutodebug=dns
        forwardcontrol=yes
        nat_traversal=yes
                                                                                                                                                                                    
                                                                                                                                                         

conn warszawa
        left=%defaultroute
        leftsubnet=192.168.0.0/24
        leftid=@vpngate1
        leftrsasigkey=[...]
        rightsubnet=192.168.1.0/24
        rightid=@vpngate2
        rightrsasigkey=[...]
       auto=add
        authby=rsasig
        pfs=yes

include /etc/ipsec.d/examples/no_oe.conf
/-------------------------------

...and VPNGateway2 config:

/-------------------------------
# basic configuration
config setup

        interfaces=%defaultroute
        klipsdebug=all
        plutodebug=dns
        nat_traversal=yes
                                                                                                                                                                                    

#Add connections here.
conn warszawa
        right=/< dyndns name of VPNGateway1/Gateway here >/
        rightsubnet=192.168.0.0/24
        rightid=@lomema
        rightrsasigkey=[...]
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        leftid=@aga
        leftrsasigkey=[...]
        auto=route
        authby=rsasig
        pfs=yes
/------------------------------------------
Connection is established from VPNGateway2 (subnet 192.168.1.0/24)

#ipsec auto --up warszawa

104 "warszawa" #5: STATE_MAIN_I1: initiate
003 "warszawa" #5: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03]
106 "warszawa" #5: STATE_MAIN_I2: sent MI2, expecting MR2
003 "warszawa" #5: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "warszawa" #5: STATE_MAIN_I3: sent MI3, expecting MR3
004 "warszawa" #5: STATE_MAIN_I4: ISAKMP SA established
112 "warszawa" #6: STATE_QUICK_I1: initiate
004 "warszawa" #6: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0xd43987a9 <0x91c18da6}

.. it seems ok.
The problem is that i can ping all hosts, connect to any services (smb 
too via IP) in 192.168.0.0/24 from 192.168.1.0/24 subnet (tcpdump shows 
that tunnel works, i see UDP/4500 and ESP packets), but i _can't_ 
connect to any machine in 192.168.1.0/24 from 192.168.0.0/24.

When i try (on VPNGate1):

#ipsec auto --route warszawa

025 "warszawa": cannot route template policy of RSASIG+ENCRYPT+TUNNEL+PFS
025 "warszawa": could not route

What can I reconfigure my configs to work.

Thanks for help and suggestions.

JI

More information about the Users mailing list