[Openswan Users] help for site-to-site vpn
Paul Wouters
paul at xelerance.com
Tue Jun 7 03:34:14 CEST 2005
On Tue, 7 Jun 2005, Yang Xu wrote:
> I can get the host-host connection up with correct encryption. I use
> conn sitevpn
> authby=secret
> auto=start
> left=194.0.1.166
> #leftsubnet=192.168.2.0/24
> leftnexthop=194.0.1.138
> right=194.0.1.138
> #rightsubnet=192.168.0.0/24
> rightnexthop=194.0.1.166
> type=tunnel
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
> However, as soon as I uncomment the two lines for leftsubnet and
> rightsubnet and restart the ipsec service, it seems don't work any more.
It does.
> I test with the tcpdump and ping command, the output is below
> [root at racoon ~]# tcpdump dst host 194.0.1.138
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 11:58:43.151349 IP 194.0.1.166 > 194.0.1.138: icmp 64: echo reply seq 0
That is not a ping from a host in 192.168.2.0/24 to a host in 192.168.0.0/24.
Either add two tunnels, one with and one without the subnet='s, or use
leftsourceip= and rightsourceip= with the internal IP of the gateway machines.
Paul
--
"I am not even supposed to be here today!" -- Clerics
More information about the Users
mailing list