[Openswan Users] Cisco Concentrator not so stumped
Eaton, Andy
Andy at seas.wustl.edu
Sun Feb 6 12:30:05 CET 2005
So here is the story. I finally have a connection up to the Cisco 3030.
I only had to do the following:
test -d /proc/net/ipsec/spi && ipsec spi --clear'
#lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec'
Comment out the lsmod line, remove the ";" and add a "'". Once I did
this and restarted ipsec, the tunnels started to work without the failed
assertion.
I am now having problems routing over ipsec0 with klips. I am really
trying to route traffic from my gateway to 172.16.0.0/16 and
128.252.21.0/24 over the ipsec tunnel for now. Tcpdump doesn't show any
traffic over ipsec0. When the tunnel comes up a route -n shows the
following.
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0
vlan5
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0
vlan4
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0
vlan3
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
vlan2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth2
24.107.176.0 0.0.0.0 255.255.240.0 U 0 0 0
eth0
24.107.176.0 0.0.0.0 255.255.240.0 U 0 0 0
ipsec0
0.0.0.0 24.107.176.1 0.0.0.0 UG 0 0 0
eth0
I would think I would need some routes that look like the following:
128.252.21.0 0.0.0.0 255.255.255.0 U 0 0
0 ipsec0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0
0 ipsec0
I have tried to add these manually but no joy. How does Pluto deal with
this? For my test, the important parts...
conn conc
left=%defaultroute
right=128.252.21.15
rightsubnet=172.16.0.0/16
I should be routing 172.16.0.0/16 over ipsec0. Is there supposed to be
some unseen magic that happens to route the traffic over ipsec0?
My iptables rules have the following so I am not trying to nat this
specific traffic.
iptables -t nat -A POSTROUTING -o eth0 -s 0/0 -d !
128.252.21.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 0/0 -d ! 172.16.0.0/16 -j
MASQUERADE
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
I have control over both ends of this tunnel and the group id
27.107.189.229 on the 3030 is set to route all traffic. It is not
split.
Am I missing something?
Thanks,
Andrew Eaton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050206/dde32f0e/attachment.htm
More information about the Users
mailing list