[Openswan Users] Linux-Linux IPsec Tunnel ends at the gateway:
no ping over the gateway in the next subnet
Bram Bouwens
bbouwens at xs4all.nl
Tue Jul 5 22:36:52 CEST 2005
Foren wrote:
> Bram Bouwens schrieb:
>
>> Foren wrote:
>>
>>> Paul Wouters schrieb:
>>>
>>>> On Tue, 5 Jul 2005, foren titze wrote:
>>>>
>>>>> Although I have make conn roadwarrior and roadwarrior-net my ping
>>>>> from the
>>>>> roadwarrior to the subnet behind the vpn-gateway doesn't go through.
>>>>
>>>>
>>>>
>>>>> nat_traversal=yes
>>>>
>>>>
>>>>> #virtual_private=%v4:10.0.0.0/24,%v4:192.168.121.0/24
>>>>
>>>>
>>>> You must include virtual_private= for nat traversal. You must not
>>>> include,
>>>> but exclude your leftsubnet= range.
>>>
>>>
>>> virtual_private must be 192.168.121.0/24 at the server and client, or?
>>>
>>>>
>>>>> conn tit-linux-net
>>>>> leftsubnet=192.168.121.0/24
>>>>> also=titze-linux
>>>>>
>>>>> conn tit-linux
>>>>> rightnexthop=192.168.121.1
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> It seems both left and right are in the same 192.168.121.0/24
>>>> subnet?????
>>>
>>>
>>>
>>> No, only the Server has two Interfaces. One internal .121.0/24 and
>>> one external.
>>> The Client has only one interface with, here, an external IP. But
>>> when the Client is nated, it has an internal IP.
>>>
>>
>> This is not very logical. I think the 192.168.121.0/24 is the network
>> behind the vpn-gateway, which is then considered the `left' side.
>> Then virtual_private=%v4:10.0.0.0/24,......,%v4:!192.168.121.0/24
>> with emphasis on the !
>
> So virtual_private=%v4:192.168.121.0/24 on the server and
> virtual_private=%v4:!192.168.121.0/24 on the roadwarrior, right?
I think it could help if you re-read the README.NAT-Traversal
one more time.
The virtual_private tells what the right=%any can be, and is only
needed at the vpn-gateway. So there:
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.121.0/24
>
>>
>> Then the right side is the roadwarrior, and it can not have 192.168.121.1
>> as its next hop.
>>
> Then I have to remove it on the roadwarrior.
Indeed. The nexthop line is only to figure out which route to set for
the ipsec traffic, but I guess the roadwarrior will have to figure
that out itself (the gateway couldn't care less, it only needs its
own leftnexthop OR %defaultroute).
>
> I ever thought that the configs on right and left side must be identical.
That's how it used to be, That's why there is right and left, not local and
remote. The virtual_private line could be an exception as it describes what
to expect on the remote end. So in a sense that would break the scheme (if
I understand this correctly).
Bram
More information about the Users
mailing list