[Openswan Users] Linux-Linux IPsec Tunnel ends at the gateway:
no ping over the gateway in the next subnet
Foren
foren.titze at gmx.net
Tue Jul 5 21:58:44 CEST 2005
Bram Bouwens schrieb:
> Foren wrote:
>
>> Paul Wouters schrieb:
>>
>>> On Tue, 5 Jul 2005, foren titze wrote:
>>>
>>>> Although I have make conn roadwarrior and roadwarrior-net my ping
>>>> from the
>>>> roadwarrior to the subnet behind the vpn-gateway doesn't go through.
>>>
>>>
>>>
>>>
>>>> nat_traversal=yes
>>>
>>>
>>>
>>>
>>>> #virtual_private=%v4:10.0.0.0/24,%v4:192.168.121.0/24
>>>
>>>
>>>
>>>
>>> You must include virtual_private= for nat traversal. You must not
>>> include,
>>> but exclude your leftsubnet= range.
>>
>>
>> virtual_private must be 192.168.121.0/24 at the server and client, or?
>>
>>>
>>>> conn tit-linux-net
>>>> leftsubnet=192.168.121.0/24
>>>> also=titze-linux
>>>>
>>>> conn tit-linux
>>>> rightnexthop=192.168.121.1
>>>
>>>
>>>
>>>
>>> It seems both left and right are in the same 192.168.121.0/24
>>> subnet?????
>>
>>
>> No, only the Server has two Interfaces. One internal .121.0/24 and one
>> external.
>> The Client has only one interface with, here, an external IP. But when
>> the Client is nated, it has an internal IP.
>>
>
> This is not very logical. I think the 192.168.121.0/24 is the network
> behind the vpn-gateway, which is then considered the `left' side.
> Then virtual_private=%v4:10.0.0.0/24,......,%v4:!192.168.121.0/24
> with emphasis on the !
So virtual_private=%v4:192.168.121.0/24 on the server and
virtual_private=%v4:!192.168.121.0/24 on the roadwarrior, right?
>
> Then the right side is the roadwarrior, and it can not have 192.168.121.1
> as its next hop.
>
Then I have to remove it on the roadwarrior.
I ever thought that the configs on right and left side must be identical.
> Bram
>
>
More information about the Users
mailing list