[Openswan Users] Linux-Linux IPsec Tunnel ends at the gateway:
no ping over the gateway in the next subnet
Foren
foren.titze at gmx.net
Tue Jul 5 23:01:59 CEST 2005
Bram Bouwens schrieb:
> Foren wrote:
>
>> Bram Bouwens schrieb:
>>
>>> Foren wrote:
>>>
>>>> Paul Wouters schrieb:
>>>>
>>>>> On Tue, 5 Jul 2005, foren titze wrote:
>>>>>
>>>>>> Although I have make conn roadwarrior and roadwarrior-net my ping
>>>>>> from the
>>>>>> roadwarrior to the subnet behind the vpn-gateway doesn't go through.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> nat_traversal=yes
>>>>>
>>>>>
>
>>>>>
>>>>>> #virtual_private=%v4:10.0.0.0/24,%v4:192.168.121.0/24
>
>
>>>>>
>>>>>
>>>>> You must include virtual_private= for nat traversal. You must not
>>>>> include,
>>>>> but exclude your leftsubnet= range.
>>>>
>>>>
>>>>
>>>> virtual_private must be 192.168.121.0/24 at the server and client, or?
>>>>
>>>>>
>>>>>> conn tit-linux-net
>>>>>> leftsubnet=192.168.121.0/24
>>>>>> also=titze-linux
>>>>>>
>>>>>> conn tit-linux
>>>>>> rightnexthop=192.168.121.1
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> It seems both left and right are in the same 192.168.121.0/24
>>>>> subnet?????
>>>>
>>>>
>>>>
>>>>
>>>> No, only the Server has two Interfaces. One internal .121.0/24 and
>>>> one external.
>>>> The Client has only one interface with, here, an external IP. But
>>>> when the Client is nated, it has an internal IP.
>>>>
>>>
>>> This is not very logical. I think the 192.168.121.0/24 is the network
>>> behind the vpn-gateway, which is then considered the `left' side.
>>> Then virtual_private=%v4:10.0.0.0/24,......,%v4:!192.168.121.0/24
>>> with emphasis on the !
>>
>>
>> So virtual_private=%v4:192.168.121.0/24 on the server and
>> virtual_private=%v4:!192.168.121.0/24 on the roadwarrior, right?
>
>
> I think it could help if you re-read the README.NAT-Traversal
> one more time.
>
T set the virtual private on the vpn-gateway, but it seems to be not
necessary. Because the roadwarrior has no subnet that right=%any have to
be "substitute" with an internal subnet.
> The virtual_private tells what the right=%any can be, and is only
> needed at the vpn-gateway. So there:
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.121.0/24
>
>
>>
>>>
>>> Then the right side is the roadwarrior, and it can not have
>>> 192.168.121.1
>>> as its next hop.
>>>
>> Then I have to remove it on the roadwarrior.
>
>
> Indeed. The nexthop line is only to figure out which route to set for
> the ipsec traffic, but I guess the roadwarrior will have to figure
> that out itself (the gateway couldn't care less, it only needs its
> own leftnexthop OR %defaultroute).
I removed this parameter, but the problem is still here. the connection
commes up but ping into the subnet is not possible.
thx ben
>
>>
>> I ever thought that the configs on right and left side must be identical.
>
>
> That's how it used to be, That's why there is right and left, not local and
> remote. The virtual_private line could be an exception as it describes what
> to expect on the remote end. So in a sense that would break the scheme (if
> I understand this correctly).
>
> Bram
>
>
More information about the Users
mailing list