[Openswan Users] VPN to connect subnets with openswan and Zyxel Prestige

Andre Mueller andre.mueller at himmel-blau.com
Fri Apr 14 02:41:44 CEST 2006

Hello Paul

Thank you for your response. I was able to solve partially the "routing" 
problem, but there are some questions remaining. In order that both subnets are 
"routed" I added in the firewall the following statement:

iptables --insert forward_ext  -i eth2 -o eth0 -s -d  -j 

Now all connections from the branch office subnet ( toward the main 
office subnet ( are possible but not in the opposite direction. A 
traceroute from within the main office subnet toward the branch office subnet is 
going out directly by the default route e.g. the wan interface eth2 and is not 
routed over the tunnel.

traceroute to (, 64 hops max, 40 byte packets
  1 (  0.664 ms  0.244 ms  0.135 ms (head office gateway LAN 
interface eth0 then to eth2)
  2  62.XX.YY.113 (62.XX.YY.113)  1.684 ms  2.456 ms  1.464 ms

Also some bit confusing, at least to me, is the fact, that all VPN connections 
between both subnets are showing up on the WAN interface eth2. At least in the 
display of the monitoring tool iftop (iftop -i eth2) the VPN connections are 
shown in-between outgoing and incoming connection to the public Internet. Is 
that normal and does it poses a threat to gateway/firewall security?

Paul Wouters wrote:
> On Wed, 12 Apr 2006, Andre Mueller wrote:
>>main office   [   SuSE Gateway      ]     [  Zyxel Prestige 660 ]
>> - = 62.XX.YY.114 ... 212.XX.YY.80 = -
>>LAN           eth0       eth2             wan            eth0       LAN

> Are you using netkey or klips. If using netkey, use interfaces"%defaultroute"

I am using the default openswan package from SuSE 10.1. I can not really say if 
netkey of klips is used as "ipsec verify" tells me that netkey is used :

Linux Openswan U2.4.4/K2.6.16-rc5-git2-2-smp (netkey)
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]

but on the other side the ipsec startup log tells me that klips was started :

Apr 13 23:55:29 gateway ipsec_setup: KLIPS ipsec0 on eth2 
62.XX.YY.114/ broadcast 62.XX.YY.119

> If you mean your one tunnel is not workin:
> check with ipsec verify.
> check that NAT is not natting ipsec packets
> Paul

Finally I have last question. Is there any way with PSK that one VPN side 
(branch office) with a dynamic public IP-Address can be identified by openswan 
with an ID e.g. rightid or something similar? Or is DynDNS the only way to 
establish an identity?

Many thanks in advance and I am asking pardon for my very Newbie questions.

best regards, André

More information about the Users mailing list