[Openswan Users] pinging one way and not the other

Norman Rasmussen normanr at gmail.com
Sat Sep 10 00:37:08 CEST 2005 

Are the gateways the default for all the hosts in the network? i.e. do
the hosts know that the other network is behind the gateway?

If these new gateways are not the defaults, you might have to add some
routes on your default gateways to set the remote network via the
openswan gateway.

I'm surprised ping is working the one way...

By the network size I assume net 1 is 'head office' and net 2 is 'sub
office'.  And I assume that the net 1 default gateway knows to access
net 2 via gateway 1.  Also I assume that net 2's default gateway does
_not_ know to access net 1 via gateway 2 at the moment.  Does this all
sound correct?

Norman

On 07/09/05, mlist <mlist at opendoor.fr> wrote:
> hello list
> 
> i have pb setting up something as simple as interconnection with
> preshared key.
> 
> topology is as follow:
> net 1 is 10.0.0.0/8 with public ip x.x.x.x
> 
> net 2 is 192.168.10.0/24 with public ip y.y.y.y
> 
> configuration for gateway 1:
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> config setup
>         interfaces = "%defaultroute"
>         klipsdebug = none
>         plutodebug = all
>         uniqueids = yes
> 
> include /etc/ipsec.d/examples/no_oe.conf
> conn od_test
>         type = tunnel
>         pfs = yes
>         left = %defaultroute
>         right = y.y.y.y
>         rightsubnet = 192.168.10.0/255.255.255.0
>         leftsubnet = 10.0.0.0/255.0.0.0
>         auto = start
>         keyexchange = ike
>         authby = secret
>         auth = esp
>         keyingtries = 0
>         esp = 3DES-SHA1
>         ike = 3DES-SHA-MODP1024
>         ikelifetime = 61m
>         keylife = 3637
>         rekeyfuzz = 1%
>         rekeymargin = 60m
> 
> 
> configuration for gateway 2 is the same, except for left and right stuff
> which have been edited accordingly.
> 
> /etc/init.d/ipsec start on both sides gives no error
> 
> ipsec auto --status gives the following
> 000 #1: pending Phase 2 for "od_test" replacing #0
> 000 #1: pending Phase 2 for "od_test" replacing #0
> 000
> 000 192.168.10.5/32:0 -6-> 10.0.0.4/32:0 => %hold 0    %acquire-netlink
> 
> then the funny part:
> 
> gateway cannot ping each other, but for what i know this is kind of
> expected.
> 
> hosts from net 1 _can_ ping hosts in net 2
> 
> hosts in net 2 _cannot_ ping hosts in net 1
> 
> ping is the only thing working, vnc, ssh, telnet dont work.
> 
> i bet this is a routing or firewall problem, but i cant put my finger on it.
> 
> any help will be very much appreciated
> 
> 
> thanks in advance
> 
> 
> --
> thomas Constans
> 04 78 68 17 34
> www.opendoor.fr
> thomas.constans at opendoor.fr
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/

More information about the Users mailing list