[Openswan Users] Openswan and default gw

Paul Wouters paul at xelerance.com
Wed Sep 21 19:53:09 CEST 2005 

On Tue, 20 Sep 2005, Goran Zugelj wrote:

> Date: Tue, 20 Sep 2005 12:29:51 +0200
> From: Goran Zugelj <gzugelj at vuka.hr>
> To: users at openswan.org
> Subject: [Openswan Users] Openswan and default gw
> 
> Hi!
>
> In the very beginning, I apologize for my bad english. I hope you'll
> understand my question, so here it goes:
>
> On "left" side there is an "internet gw/firewall/vpn gw"  and on the
> "right" side is only "vpn gw". It looks like this:
>
>
>  LEFT SUBNET
>  192.168.0.0/20
> (255.255.240.0)
>       |
>       |
>       |      +------------------+    (NAT)
>  192.168.0.1-| left gw/firewall |-193.198.2.8---193.198.2.1(router)--internet
>              +------------------+
>                       |
>               192.168.255.1/29
>               (255.255.255.240)
> 	               |
>                       |
>                       /
>                      /_  (this is wireless link)
>                        /
>                       |
>                       |
>               192.168.255.2/29
>               (255.255.255.240)
>                       |
>                +--------------+
>   192.168.16.1-| right vpn gw |
>        |       +--------------+
>        |
>        |
>   192.168.16.0/20
>   (255.255.240.0)
>    RIGHT SUBNET
>
>
> What I'm trying to do here is to make vpn tunnel between LEFT and RIGHT
> subnet, but also to make address 193.198.2.8 default gw to internet for
> RIGHT subnet (the one accross the wireless link). Vpn tunnel between
> LEFT and RIGHT subnet works fine. From LEFT subnet I can go to internet,
> but from the RIGHT one, I can't. I even tried to set up 2 tunnels. One
> from LEFT subnet to RIGHT subnet, and second one from RIGHT subnet to
> HOST 193.198.2.8 from where i would be doing NAT. But it doesn't work.
> Tunnel works, but again, I can't ping anything that is behind that IP.
>
> This is the initial setup (where I expected left gw will do routing
> the right way by default):
>
>
> ipsec.conf:
>
> config setup
> 	interfaces="ipsec0=eth2"
>        klipsdebug=none
>        plutodebug=none
>        plutoload=%search
>        plutostart=%search
>        plutowait=no
>        uniqueids=yes
>
> conn %default
> 	keyingtries=0
>        authby=rsasig
>
> conn test
>        left=192.168.255.1
> 	leftsubnet=192.168.0.0/20
>        leftrsasigkey=0s...
> 	right=192.168.255.2
> 	rightsubnet=192.168.16.0/20
> 	rightrsasigkey=0s...
>        auto=start
>
> As I said earlier, tunnel works fine. But what am I missing here?

You did not allow "traffic from right to anywhere outsie left" to go
through the tunnel. What you want is:

  conn test
         left=192.168.255.1
  	leftsubnet=0.0.0.0/0
         leftrsasigkey=0s...
  	right=192.168.255.2
  	rightsubnet=192.168.16.0/20
  	rightrsasigkey=0s...
         auto=start

This will tunnel ALL traffic to the left gw. That one can then
either send the packets on to the left subnet, or it can NAT
the traffic when it goes out the internet interface.

Paul

More information about the Users mailing list