[Openswan Users] Nortel - Openswan - Road warrior configuration - nearly there but need help.

shad shad.mortazavi at convergenceone.com
Fri Sep 24 19:24:49 CEST 2004 

Dear Group.

I'm using openswan-2.2.0 and Linux Kernel 2.6.8.1-3.

I'm in the process of finalizing an IPSEC tunnel between a openswan 
machine and a Nortel 1710. I have the basic tunnel up.

IPsec SA established {ESP=>0x0014d4f5 <0xdfdf6d9f}.

 From the network behind the 1710 I can get to my laptop (ssh/ping), I 
can't get from my laptop to the network behind the 1710.

I did make an earlier post, but no reply:

http://lists.openswan.org/pipermail/users/2004-September/002339.html .

I'm getting close. I think I found the ip route issue. I beleive this is 
caused when ip route can not determine how to get to 70.xy.xy.4 (below), 
i.e. did not know the next hop since I don't have a direct connection to 
the internet.

My setup looks like this

laptop (192.xx.yy.51/255.255.255.240) <--> FVS318 
(192.xx.yy.249|71.xx.xy.xy) <-> internet

The office is

10.0.0.0/8 <-> 1700 (192.xx.yy.11|70.xy.xy.4) <->Cisco Route 
(70.xy.xy.1) <-> Internet

Since I don't have a direct interface on connection to the internet I 
specify the leftnexthop in my config;

conn %default
       left=192.y.x.51
       # Had to add this to get ip route to work!
       leftnexthop=192.y.x.49
       keyingtries=10
       disablearrivalcheck=no
       auto=start
       keylife=20m
       rekeymargin=5m
       ikelifetime=3h

include /etc/ipsec.d/examples/no_oe.conf

conn bwk
       right= 70.xy.xy.4
       rightsubnet=10.0.0.0/255.0.0.0
       pfs=yes
       compress=no
       rekey=yes
       authby=secret
       leftsubnet=192.y.x.48/255.255.255.240

My routing table now looks like;

192.yy.xx.0/24 dev eth0  proto kernel  scope link  src 192.yy.xx.51
192.yy.xx.0/24 dev vmnet1  proto kernel  scope link  src 192.yy.xx.1
172.yy.xx.0/24 dev vmnet8  proto kernel  scope link  src 172.yy.xx.1
10.0.0.0/8 via 192.yy.xx.49 dev eth0
default via 192.yy.xx.49 dev eth0

However I think it should read;

192.yy.xx.0/24 dev eth0  proto kernel  scope link  src 192.yy.xx.51
192.yy.xx.0/24 dev vmnet1  proto kernel  scope link  src 192.yy.xx.1
172.yy.xx.0/24 dev vmnet8  proto kernel  scope link  src 172.yy.xx.1
10.0.0.0/8 via 192.yy.xx.51 dev eth0
default via 192.yy.xx.49 dev eth0

I can set this manualy after my tunnel comes up.

With both routing tables I can get from the office to my laptop, but no 
from my laptop to the office :(

Am I missing something obvious in my thinking or my configuration?

Warm Regards

Shad

More information about the Users mailing list