[Openswan Users] Problem with vpn network
Nicole.Haehnel
nicole.haehnel at gmx.net
Thu Jan 27 09:43:42 CET 2005
Hi,
the router gets a new ip every dial in.
VPN2 is on privat ip space and has ip 10.27.168.2.
The router has privat ip 10.27.168.1 and a public ip.
The router forwards all packets to VPN2, unfortunately I can only
forward tcp and udp packets or all packets, no protos.
I can not see anything on the interfaces of the router, no telnet function.
But I captured an VPN1 and VPN2, both sending packets but nothing
arrived on the other side.
If I changed the ipsec config with rightnexthop= 10.27.168.1 on VPN2,
I get an error "we can not identify ourselfs with either end of connection".
On VPN1, I changed right to the dyndns-name.
Thanks!
Nicole
Paul Wouters wrote:
> On Wed, 26 Jan 2005, Nicole.Haehnel wrote:
>
>> now I know the problem, or a part of it.
>>
>> VPN1------INET-----DSL-Router----VPN2
>>
>> The tunnel is working between VPN1 and VPN2 until the router dials a
>> new connection.
>> After this the tunnel is still up, but no packets go through it.
>> Restarting ipsec is not working.
>
>
> Is the router keeping some sort of state? It shouldn't. Did it change
> IP address?
>
>> I configured ipsec to start the tunnel only from VPN2 behind the router.
>
>
> So is VPN2 on private IP space? Do you forward proto 50 and port
> (4)500 udp to it?
> If VPN2 is on public ip, it shouldn't matter that the router vanishes
> and comes back.
>
> Try and run tcpdump to see where the packets are lost. Is VPN2 still
> sending them?
> (I'd assume so, but let's rule out bugs in our own products first :)
>
>> "Right" is dyndns-name, but what is rightnexthop?
>
>
> the only nexthop you should fill in on VPN2 is the inside IP of the
> DSL router. It
> shouldn't change if I got your network idea correctly.
>
> Paul
>
>
More information about the Users
mailing list