[Openswan Users] Linux-Linux IPsec Tunnel ends at the gateway: no ping over the gateway in the next subnet

Bram Bouwens bbouwens at xs4all.nl
Tue Jul 5 21:52:26 CEST 2005


Foren wrote:
> Paul Wouters schrieb:
> 
>> On Tue, 5 Jul 2005, foren titze wrote:
>>
>>> Although I have make conn roadwarrior and roadwarrior-net my ping 
>>> from the
>>> roadwarrior to the subnet behind the vpn-gateway doesn't go through.
>>
>>
>>
>>>     nat_traversal=yes
>>
>>
>>
>>>     #virtual_private=%v4:10.0.0.0/24,%v4:192.168.121.0/24
>>
>>
>>
>> You must include virtual_private= for nat traversal. You must not 
>> include,
>> but exclude your leftsubnet= range.
> 
> virtual_private must be 192.168.121.0/24 at the server and client, or?
> 
>>
>>> conn tit-linux-net
>>>     leftsubnet=192.168.121.0/24
>>>     also=titze-linux
>>>
>>> conn tit-linux
>>>     rightnexthop=192.168.121.1
>>
>>
>>
>> It seems both left and right are in the same 192.168.121.0/24 subnet?????
> 
> No, only the Server has two Interfaces. One internal .121.0/24 and one 
> external.
> The Client has only one interface with, here, an external IP. But when 
> the Client is nated, it has an internal IP.
> 

This is not very logical. I think the 192.168.121.0/24 is the network
behind the vpn-gateway, which is then considered the `left' side.
Then virtual_private=%v4:10.0.0.0/24,......,%v4:!192.168.121.0/24
with emphasis on the !

Then the right side is the roadwarrior, and it can not have 192.168.121.1
as its next hop.

Bram


More information about the Users mailing list