[Openswan Users] Openswan and default gw

Goran Zugelj gzugelj at vuka.hr
Tue Sep 20 13:29:51 CEST 2005 

Hi!

In the very beginning, I apologize for my bad english. I hope you'll
understand my question, so here it goes:

On "left" side there is an "internet gw/firewall/vpn gw"  and on the
"right" side is only "vpn gw". It looks like this:


  LEFT SUBNET
  192.168.0.0/20
 (255.255.240.0)
       |
       |
       |      +------------------+    (NAT)
  192.168.0.1-| left gw/firewall |-193.198.2.8---193.198.2.1(router)--internet 
              +------------------+
                       |
               192.168.255.1/29
               (255.255.255.240)
	               |
                       |
                       /
                      /_  (this is wireless link)
                        /
                       |
                       |
               192.168.255.2/29
               (255.255.255.240)
                       |
                +--------------+
   192.168.16.1-| right vpn gw |
        |       +--------------+
        |
        |
   192.168.16.0/20
   (255.255.240.0)
    RIGHT SUBNET


What I'm trying to do here is to make vpn tunnel between LEFT and RIGHT
subnet, but also to make address 193.198.2.8 default gw to internet for
RIGHT subnet (the one accross the wireless link). Vpn tunnel between
LEFT and RIGHT subnet works fine. From LEFT subnet I can go to internet,
but from the RIGHT one, I can't. I even tried to set up 2 tunnels. One
from LEFT subnet to RIGHT subnet, and second one from RIGHT subnet to
HOST 193.198.2.8 from where i would be doing NAT. But it doesn't work.
Tunnel works, but again, I can't ping anything that is behind that IP.

This is the initial setup (where I expected left gw will do routing
the right way by default):


ipsec.conf:

config setup
	interfaces="ipsec0=eth2"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
        uniqueids=yes

conn %default
	keyingtries=0
        authby=rsasig

conn test
        left=192.168.255.1
	leftsubnet=192.168.0.0/20
        leftrsasigkey=0s...
	right=192.168.255.2
	rightsubnet=192.168.16.0/20
	rightrsasigkey=0s...
        auto=start

As I said earlier, tunnel works fine. But what am I missing here?
I was hoping that the left gw will do routing for the RIGHT side too.
Now I understand that is not posibble by default. So the final question
is - how to do it properly? 

P.S.
Once again, i hope I explained it good enough, if not, I'll do my best
next time.


Greetings,
G. Zugelj

More information about the Users mailing list