[Openswan Users] Host to net VPN question

Glenn MacGregor gtm at highstreetnetworks.com
Wed Mar 30 14:32:16 CEST 2005


I must be misunderstanding something here. My setup:

INTERNET ==== My Router ---- Switch1 --- PIX --- Switch2 --- Internet Network
                                |               /             (
                                |              /
                                |             /
                                |(eth1)      /(eth0)
                                IPSec Gateway

Everything on the internet net has a gateway of Switch2. The gateway of Switch2
is internal interface of the PIX. So all inbound and outbound traffic goues
through the pix, except for the traffic going through the IPSec box (this will
change when I get this working). 

As a roadwarrior I connect to the IPSec gateway through the internet and create
a tunnel, OpenSwan does that great. I have the tunnel up and running. After the
tunnel is created what is OpenSwan supposed to do? Does it call any scripts or
anything to change routing or is it supposed to setup some firewall rules to do
NAT? I know it doesn't assign the tunnel an ipaddress on the local net (that is
the job of L2TP). So at the point when the tunnel is up I have a connection from
my laptop (on dialup) to the IPSec gateway. The point of the VPN connection is
to give me access to all the internal servers (file server...). 
Packets coming from my laptop have a source address of what ever the dialup gave
me (public address -- If no routing changes occur and/or the
tunnel doesn't get an ip on the local network when a packet with that source
address hits any machine in my internal network it will be sent by Switch2 --
PIX --Switch1 -- Router -- Internet. I want it sent Switch2 -- IPSec Gateway --
tunnel -- laptop. How is the machine on the internal network going to know to do

I am very sorry if I am unclear explaining this. I am completly confused.

Thanks for your patience.


Quoting Jacco de Leeuw <jacco2 at dds.nl>:

> Glenn MacGregor wrote:
> > I make the connection to the ipsec gateway using certificates. I can ping
> the
> > internal interface of the ipsec gateway (I did turn forwarding on in the
> kernel)
> > and get a response. If I ping another box on the internal network I get
> no
> > response. I did run tcpdump on the box I am trying to ping, I see the ping
> come
> > in and the pong go out.
> tcpdump on the IPsec gateway itself will only work if you are using KLIPS.
> Otherwise tcpdump and other sniffers such as Ethereal will get confused.
> In that case you need to run the sniffer on a separate box somewhere
> between
> the client and the server.
> > The problem (I think) is that when the ping comes in it
> > has a public address so when any internal box tries to respond the response
> goes
> > out its default gateway (not the ipsec gateway) trying to get there.
> Perhaps you could post some more details about your setup. And upload the
> output of 'ipsec barf' somewhere.
> Jacco
> -- 
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

Glenn MacGregor
HighStreet Networks

This mail sent through IMP: http://horde.org/imp/

More information about the Users mailing list