[Openswan Users] multiple ipsec interface issue - any ideas?

Martin Glazer sourceforge at glazer.ca
Thu Nov 3 17:13:07 CET 2005


On November 3, 2005 10:48, Ryley Breiddal wrote:
> Martin Glazer wrote:
> > I'm running OpenSwan 1.0.9 on a firewall with 2 internet connections
> > - one being the default route (eth1) and the other (eth0)
> > specifically for traffic to a single application provider.
> >
> > Openswan is setup on the default interface (eth1) and works perfectly
> > using certificates and roadwarrior connections - this is ipsec0
> >
> > I am trying to setup Openswan on the second interface (eth0) as well
> > and have designated this as ipsec1.
> >
> > The issue I am having is that all vpn connections to ipsec1 do not
> > complete - they all stop at
> > "transition from state (null) to state STATE_MAIN_R1 "
> > and then nothing else.
> >
> > I have checked the firewall rules (and even disabled the firewall
> > completely) and there is nothing there preventing IKE packets.
> >
> > When running tcpdump on both interfaces, I see the original IKE
> > request come in on the correct interface (eth0/ipsec1), but outgoing
> > replies are on the default route interface (eth1/ipsec0).
> >
> > Anybody have any ideas on solving this or can explain why it is
> > happening?
>
> This may be too simple, but it sounds an awful lot like a routing issue.
> If you look at your routing table, do you have a route via eth0 back to
> the source of the original IKE request?  Is it above any route via
> ipsec1?
>
> Generally, you should have a routing table like this:
> <ip of application> dev eth0
> <ip of application> dev ipsec1
> <assorted RWs> via <default gateway> dev ipsec0
> <subnet of gateway> dev eth1
> default via <gateway> dev eth1
>

Thanks for the response...

You may be right and that this is a simple routing issue - I will check my 
routes and see if they are right.

This is what I would like

                       default route
                       ==== 1.1.1.1 (eth1/ipsec0) --- Road Warriors
                       |
192.168.0.0/24 =|
                       |
                       ==== 2.2.2.2 (eth0/ipsec1) --- 3.3.3.3 == 172.16.1.0/24

How would I have to set this up then in order to get the VPN's correct?

Thanks

Martin




More information about the Users mailing list