[Openswan Users] Question about firewalls...
Alexander Samad
alex at samad.com.au
Wed May 25 10:38:06 CEST 2005
This is a src address issue
when you ping from the either firewall (start/end point of the ipsec tunnel),
the src address used doesn't fit in the ipsec tunnel
192.168.10.5------192.168.10.1+++12.12.12.12 .. .. .. .. .. .. .
13.13.13.13+++ 192.168.8.1----- 192.168.8.5
So
lan A (192.168.10.x/24 - gw firewall on 192.168.10.1 external ip of 12.12.12.12)
lan B (192.168.8.x/24 - gw firewall on 192.168.8.1 external ip of 13.13.13.13)
pinging from either .5 machine to the other works okay example 192.168.10.5 to
192.168.8.5.
place src address dst address
192.168.10.5 192.168.10.5 192.168.8.5
gw1 192.168.10.5 192.168.8.5
gw2 192.168.10.5 192.168.8.5
192.168.8.5 192.168.10.5 192.168.8.5
But when you ping from gw1 to 192.168.8.5 your routing will set the source
address of the packet to 12.12.12.12 and this will not fall in the ipsec
tunnel. So to be able to ping from gw1 to 192.168.8.0 do something like
ip r a 192.168.8.0/24 dev XXXX via YYYY src 192.168.10.1
and vis versa on gw2
Hope that helps
Alex
> Hello
>
>
> Today I have successfully connected 2 subnets with OPenswan but have one
> question additionally. OpenSwan is up and running on two firewalls.
>
> Question is:
> Host from subnet "A" can ping host from subnet "B" and vice versa but I can't
> ping any host in subnet A from subnet's B firewall.... of course I can't also
> ping any host in subnet B from subnet's A firewall. Is it normal? What can I
> do to ping hosts from firewalls?
>
> Thanks,
> Marcin
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
More information about the Users
mailing list