[Openswan Users] Extruded subnet problem
Gömöri Zoltán
suf at freemail.hu
Fri Jun 24 22:39:10 CEST 2005
Hi,
I'm new in the IPSEC VPN business.
I'm using to Debian Sarge machines as vpn gateway (OpenS/WAN v2.2.0-8,
kernel 2.6.8-2, native IPSEC)
I've the following configuration:
various a.b.c.d e.f.g.h
subnets == router == subnet == vpn gw l ================ vpn gw r ==
subnet
10.x.x.0 10.15.1.0/24 internet
10.15.14.0/24
ipsec.conf:
#Disable Opportunistic Encryption:
include /etc/ipsec.d/examples/no_oe.conf
conn Test
left=a.b.c.d
leftsubnet=10.0.0.0/8
leftid=@leftvpn.com
leftrsasigkey=XXXXXXXXXXXXXXXX
leftnexthop=i.j.k.l
right=e.f.g.h
rightsubnet=10.15.14.0/24
rightid=@rightvpn.com
rightrsasigkey=YYYYYYYYYYYYYYYY
rightnexthop=m.n.o.p
auto=add
When I start the vpn connection, I can't even ping the right gateway
internal ethernet connection (eth1 10.15.14.1) from the right subnet, but I
can ping the machines in the various subnets from the right subnet. It not
the major problem, but when I try to connect with an RDP client a Windows XP
in the right subnet from any of the right subnets, I get an empty blue
screen and it drops the connection after a while. When I generated some logs
I realized what happening. After the connection request the Windows XP in
the right side sent an 1500 byte length packet, the right gateway responded
with an ICMP type 3 code 4 packet directing the XP machine to send 1444 byte
packet as maximum (1500 byte - 56 byte IPSEC header), but this packet never
reached the XP machine because the right gateway sent this packet thru the
tunnel instead of the right subnet.
The two related routes from the routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.15.14.0 * 255.255.255.0 U 0 0 0 eth1
10.0.0.0 m.n.o.p 255.0.0.0 UG 0 0 0 eth0
If I'm correct the first route has to have priority over the second one, but
the packets not travel according this.
Can anybody tell me what I've done incorrectly?
Thank you and sorry for my bad english
Zoltan
More information about the Users
mailing list