[Openswan Users] OpenSWAN to Cisco Concentrator 3005

Svavar Örn Eysteinsson svavar at atom01.is
Fri Dec 9 15:49:28 CET 2005 

Hi All.
I recently installed a Fedora Core 4 linux test machine.
My main goal was to configure a IPSec tunnel with OpenSwan to a remote 
office
connected to Cisco Concentrator 3005 box.

Well, I have the connection working but the problem is that I can only
communicate to 1 IPaddress. That is the LAN address of the remote VPNServer.

This is my setup.

(A) - Left Side (Cisco Concentrator 3005 / IP Address: 10.100.0.1/24)
======================================================================

left=62.62.62.62 (Public IPaddress)
leftnexthop=62.62.62.60 (Router)
leftsubnet=10.100.0.0/24 (Local LAN)

(B) - Right Side (OpenSwan / IP Address : 192.168.1.42/24
======================================================================
right=72.72.72.72 (Public IPaddress)
rightnexthop=72.72.72.70 (Router)
rightsubnet=192.168.1.0/24 (Local LAN)

And here is my connection.conf profile :

conn cisco
    tpye=tunnel
    keyingtries=0
    authby=secret
    left=62.62.62.62
    leftnexthop=62.62.62.60
    leftsubnet=10.100.0.0/24
    right=72.72.72.72
    rightnexthop=72.72.72.70
    rightsubnet=192.168.1.0/24
    ikelifetime=8h
    auto=start


And this is my ipsec.conf :

version 2.0
config setup
nat_traversal=yes
uniqueids=yes
interfaces=%defaultroute
plutowait=no

My OpenSwan box is configured with 2 interfaces. The Eth0(public) connected
straight to the internet and the Eth1(LAN) connected to a switch on the 
192.168.1.0/24 network.
The Default Gateway on the machine is 72.72.72.70 trough eth0 interface.
So my routing table looks like :

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
72.72.72.64     *               255.255.255.192 U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
10.100.0.0      72.72.72.70     255.255.255.0   UG    0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         72.72.72.70     0.0.0.0         UG    0      0        0 eth0

So the problem is, I go to my workstation(running Windows XP) and add a 
static route with the following command :

route add 10.100.0.0 mask 255.255.255.0 192.168.1.42 metric 1
I can sucessfully ping 10.100.0.1 from my Windows XP workstation, but
when I whant to ping for an example 10.100.0.5 which i know exists and
serves as a server on the remote lan, I don't get any answers.

This problem is vice versa. That means, if I go to the Web Interface on the
Concentrator Box and ping 192.168.1.42 it is successful. But if i ping 
192.168.1.10(that serves as a server on the Remote LAN) I don't get any 
response.

Any idea good people? Anyone out there sucessfully configured IPSec tunnel
with Free/OpenSWAN and Concentrator box?

Does it matter wich is Left/Right? e.g. OpenSWAN is Left and Cisco 
Right? Or Vice/versa

I'm really stuck.
Thanks.
Best regards,

Svavar Orn
svavar at atom01.is
Reykjavik - Iceland

More information about the Users mailing list