[Openswan Users] Roadwarrior and route troubles
Vincent SCHULTZ
vincent.schultz at wanadoo.fr
Thu Sep 1 17:31:01 CEST 2005
Ok,
There is something I do not understand, and the more I read the answers, the more I get lost ;-). So I restart it from the beginning and I will try to undestand :
I have a firewall (with no rule) linux box FC4 named sgw1 (openswan 2.3.1 on kernel 2.6.9). There is an interface (eth1:10.10.45.1) in the private LAN 10.10.45.0/24 and another interface (eth0:152.18.31.45) in 152.18.31.0/24. The gateway is 152.18.31.173, it is just a simple router.
Somewhere in another network (203.41.30.0/24), there is a linux FC3 laptop with dynamic IP address. The aim is to connect the laptop 203.41.30.X in the LAN 10.10.45.0. The 2 networks are connected, the laptop can ping SGW1 and SGW1 ping the laptop. Note that the network 10.10.45.0 is not know by the router 152.18.31.173 and it is not natted by SGW. So a client in 10.10.45.0 cannot ping anything outside its network.
The first question : With which IP address the laptop can connect to the LAN 10.10.45.0 (which it is known on the LAN) ? with a ""public"" address (203.41.30.X) ? With a address in 10.10.45.0 by given by DHCP (there is a DHCP server in the private LAN) ? or a fixed one (for sample 10.10.45.111) ? Or with another (virtual ?) private address 192.168.10.X choseen by the laptop ?
What is the best solution ? I am confused...
I read the wiki but I don't understand the sample roadwarrior configuration. On the server :
left=192.0.2.2 # Gateway's information
leftsubnet=192.0.2.128/29
...
right=%any
And on the laptop :
left=%defaultroute
...
right=192.0.2.10 # Remote information
rightsubnet=10.0.0.0/24
...
For me, the right/left do not match (the left and right should be the same, no ?), neither the subnet. Can someone explain it to me please ? In that case, what would be the address of the laptop on the LAN ?
In which case do we use the directives "virtual_private=%v4:192.168.10.0/24" and "rightsubnet=vhost:%priv" ?
Thank you for your help,
Vincent
Le jeudi 01 septembre 2005 à 14:56 +0200, Paul Wouters a écrit :
On Thu, 1 Sep 2005, Vincent SCHULTZ wrote:
>
> >
> > The sniff of the ping to the 10.10.45.13 client on the mobile device :
> >
> > 13:46:39.598719 IP 203.41.30.111 > 10.10.45.13: icmp 64: echo request seq 118
> > 13:46:39.598803 IP 203.41.30.254 > 203.41.30.111: icmp 92: net 10.10.45.13 unreachable
> >
> > Then it tries to access directly 10.10.45.13 and the gateway 203.41.30.254 doesn't known the ip route. The traffic in not ESP encapsulated.
>
> If you really want a LAN-LAN connection, define both sdies to use that
> 192.168.0.0/24 subnet. If you want host to lan, remove it from the client's
> end.
>
> I'm not sure why your (linux?) mobile device is not properly sending out
> packets over ESP if you have a proper tunnel defined. Show the output of
> 'ipsec barf' when the tunnel is established.
>
> Paul
>
More information about the Users
mailing list