[Openswan Users] Problem with vpn network

Nicole.Haehnel nicole.haehnel at gmx.net
Thu Jan 27 09:43:42 CET 2005


the router gets a new ip every dial in.
VPN2 is on privat ip space and has ip
The router has privat ip and a public ip.
The router forwards all packets to VPN2, unfortunately I can only 
forward tcp and udp packets or all packets, no protos.

I can not see anything on the interfaces of the router, no telnet function.
But I captured an VPN1 and VPN2, both sending packets but nothing 
arrived on the other side.

If I changed the ipsec config with rightnexthop= on VPN2,
I get an error "we can not identify ourselfs with either end of connection".

On VPN1, I changed right to the dyndns-name.



Paul Wouters wrote:

> On Wed, 26 Jan 2005, Nicole.Haehnel wrote:
>> now I know the problem, or a part of it.
>> VPN1------INET-----DSL-Router----VPN2
>> The tunnel is working between VPN1 and VPN2 until the router dials a 
>> new connection.
>> After this the tunnel is still up, but no packets go through it.
>> Restarting ipsec is not working.
> Is the router keeping some sort of state? It shouldn't. Did it change 
> IP address?
>> I configured ipsec to start the tunnel only from VPN2 behind the router.
> So is VPN2 on private IP space? Do you forward proto 50 and port 
> (4)500 udp to it?
> If VPN2 is on public ip, it shouldn't matter that the router vanishes 
> and comes back.
> Try and run tcpdump to see where the packets are lost. Is VPN2 still 
> sending them?
> (I'd assume so, but let's rule out bugs in our own products first :)
>> "Right" is dyndns-name, but what is rightnexthop?
> the only nexthop you should fill in on VPN2 is the inside IP of the 
> DSL router. It
> shouldn't change if I got your network idea correctly.
> Paul

More information about the Users mailing list