[Openswan Users] Only getting traffic oneway from Openswan to
Cisco VPN3060
Eaton, Andy
Andy at seas.wustl.edu
Fri Feb 11 12:03:52 CET 2005
I think you are going to have enable rip on your internal interface of
the cisco 3060 and then under the routing section of the lan-to-lan do
RRI, reverse route injection. That will give the cisco a route to your
network. You can check it under monitoring and then routing table. Got
this from the cisco documentation.
On a side note, I am running 4.1.7.B-k9.bin. I establish a connection
with the vpn concentrator but my tunnels show unrouted with ipsec auto
--status and no tunnels up with /etc/init.d/ipsec status. I still have
no idea why this won't work.
You are one step ahead of me....
Let me know if this works for you.
Andrew Eaton
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Shane Hickey
Sent: Friday, February 11, 2005 11:50 AM
To: users at openswan.org
Subject: [Openswan Users] Only getting traffic oneway from Openswan to
Cisco VPN3060
Allright, I'm sure this has to be something simple, but I can't find it
anywhere. Here's my setup.
My side)
Gentoo laptop running 2.6.7-hardened-r17 (with no other kernel
patches), openswan-2.3.0
cat /etc/ipsec/ipsec.conf | grep -v ^#
version 2.0 # conforms to second version of ipsec.conf specification
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
klipsdebug=all
plutodebug=all
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
interfaces=%defaultroute
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn vpn3000-192
left=$MY_STATIC_IP
leftsubnet=10.252.238.0/24
leftnexthop=$MY_STATIC_IP
right=$CONCENTRATOR_IP
rightsubnet=192.168.0.0/16
auto=start
authby=secret
type=tunnel
keyexchange=ike
auth=esp
esp=3des-md5-96
pfs=no
compress=no
conn vpn3000-10
left=$MY_STATIC_IP
leftsubnet=10.252.238.0/24
leftnexthop=$MY_STATIC_IP
right=$CONCENTRATOR_IP
rightsubnet=10.250.0.0/16
auto=start
authby=secret
type=tunnel
keyexchange=ike
auth=esp
esp=3des-md5-96
pfs=no
compress=no
Remote Side)
Cisco VPN 3060 running vpn3000-4.1.5.A-k9.bin.
I created an IPSec LAN-to-LAN connection with the following information.
Connection Type: Bi-directional
Peers: $MY_STATIC_IP
Using PSK
Authentication: ESP/MD5/HMAC-128
Encryption: 3DES-168
IKE Proposal: IKE-3DES-MD5
IPSec NAT-T [checked]
Local Network: 10.250.0.0/16 192.168.0.0/16
Remote Network: 10.252.238.0
SYMPTOMS: Any traffic that is originated from my side works fine. So, I
can ssh/web/whatever to anything in the 10.250 or 192.168 networks
behind the concentrator. However, nothing behind the concentrator can
initiate a new connection to my network. They can't ping 10.252.238 or
do anything else to that network. I don't believe it's my iptables
rules on the firewall, but to test it, I ran ethereal on the laptop
firewall box and had it capture all ICMP packets. It sees pings that
originate from my network, but it doesn't see anything that was
originated from behind the concentrator. So, I don't believe the
packets from that side are making it here.
I'm sure I've done something foolish, so any help would be greatly
appreciated.
Thanks,
Shane
--
Shane Hickey <shane at howsyournetwork.com>: Network/System Consultant
GPG KeyID: 777CBF3F
Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list