[Openswan Users] Cisco Concentrator not so stumped

Eaton, Andy Andy at seas.wustl.edu
Sun Feb 6 12:30:05 CET 2005


So here is the story.  I finally have a connection up to the Cisco 3030.
I only had to do the following:

 

test -d /proc/net/ipsec/spi && ipsec spi --clear'

#lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec'

 

Comment out the lsmod line, remove the ";" and add a "'".  Once I did
this and restarted ipsec, the tunnels started to work without the failed
assertion.

 

I am now having problems routing over ipsec0 with klips.  I am really
trying to route traffic from my gateway to 172.16.0.0/16 and
128.252.21.0/24 over the ipsec tunnel for now.  Tcpdump doesn't show any
traffic over ipsec0.  When the tunnel comes up a route -n shows the
following.

 

192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0
vlan5

192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0
vlan4

192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0
vlan3

192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0
vlan2

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth2

24.107.176.0    0.0.0.0         255.255.240.0   U     0      0        0
eth0

24.107.176.0    0.0.0.0         255.255.240.0   U     0      0        0
ipsec0

0.0.0.0         24.107.176.1    0.0.0.0         UG    0      0        0
eth0

 

I would think I would need some routes that look like the following:

 

128.252.21.0     0.0.0.0  255.255.255.0    U          0          0
0 ipsec0

172.16.0.0         0.0.0.0 255.255.0.0        U          0          0
0 ipsec0

 

I have tried to add these manually but no joy.  How does Pluto deal with
this? For my test, the important parts...

 

conn conc 

        left=%defaultroute

        right=128.252.21.15

        rightsubnet=172.16.0.0/16

 

I should be routing 172.16.0.0/16 over ipsec0. Is there supposed to be
some unseen magic that happens to route the traffic over ipsec0?

My iptables rules have the following so I am not trying to nat this
specific traffic.

 

            iptables -t nat -A POSTROUTING -o eth0 -s 0/0 -d !
128.252.21.0/24 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -s 0/0 -d ! 172.16.0.0/16 -j
MASQUERADE

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

 

I have control over both ends of this tunnel and the group id
27.107.189.229 on the 3030 is set to route all traffic.  It is not
split.

 

Am I missing something?

 

Thanks,

 

Andrew Eaton

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050206/dde32f0e/attachment.htm


More information about the Users mailing list