[Openswan Users] An internal VPN

John John at DMJ-Consultancy.co.uk
Wed Nov 2 23:58:56 CET 2005 

Due to current circumstances, I have two separate networks, L and R, on 
the same side of an ADSL modem and need to setup a VPN between them. 
They both share the ADSL modem, 10.0.E.2, as their common, default gateway.
Note that E, L & R are used to identify the subnets for this discussion 
only and are normally replaced with valid, distinct, octet numbers. 
Under normal circumstances, these two networks would be in differing 
geographical locations, linked via the Internet.

I would hope that the L subnet could treat the R subnet as if it were 
the same network and vice versa but all traffic between the two subnets 
seems to disappear up the ADSL modem to oblivion. How can I sort this?

Left / local / L net = 192.168.L.0/24, default gateway = 10.0.E.2
  |
  |
Netgear FVS318 DSL router 192.168.L.1
External interface = 10.0.E.32
  |
  |
Hub----->ADSL Modem 10.0.E.2------>Internet
  |
  |
External interface = 10.0.E.31
Server running SuSE10 + Swan/IPSEC
Internal interface 192.168.R.31
  |
  |
Right / remote / R net = 192.168.R.0/24, default gateway = 10.0.E.2

Extract from ipsec.conf for Right server:

conn PJ-Local
    keyingtries=3
    auto=start
    authby=secret
    keyexchange=ike
    ikelifetime=1440m
    type=tunnel
    pfs=yes
    keylife=480m
    left=10.0.E.32
    leftsubnet=192.168.L.0/24
    leftnexthop=10.0.E.31
    leftid = 10.0.E.32
    right=10.0.E.31
    rightsubnet=192.168.R.0/24
    rightnexthop=10.0.E.32
    rightid = 10.0.E.31


At the Netgear FVS318, the VPN is configured:

Name PJ-Local
Local IPSEC identifier = 10.0.E.32
Remote IPSEC identifier = 10.0.E.31
Tunnel can be accessed from - a subnet of address
Local start IP address = 192.168.L.0 / 24
Tunnel can access - a subnet of remote address
Remote start IP address = 192.168.R.0 / 24
Remote WAN IP = 10.0.E.31
with 3DES, preshared key, key life and IKE life time to match above.

The Netgear's VPN status screen does show that the VPN is up but I can 
not get a computer on one side to ping / traceroute to a device on the 
other (either way, L->R or R->L).

For reference, the link http://www.murphyauto.com/pdf/NG318toSwan.pdf 
from http://wiki.openswan.org/index.php/NetGear%20FVS318 formed the 
basis for my configuration.

What am I doing wrong??

Thanks, in advance

John

More information about the Users mailing list