[Openswan Users] Cannot ping hosts behind OpenSWAN host
Paul Wouters
paul at xelerance.com
Mon Feb 13 23:21:32 CET 2006
On Mon, 13 Feb 2006, Jason Martin wrote:
> Intranet---OpenSWAN machine-- "Public" Windows XP machine
>
> Intranet settings - 192.168.1.0/24
> OpenSWAN settings - eth0: 192.168.1.212; eth1: 1.1.1.1 ("public" interface)
> Windows XP machine - 1.1.1.2
>
> The OpenSWAN and XP machines are directly connected with a crossover cable for
> now. (Maybe this is where my problem is? Should I try this on an established
> network?)
That should work.
> (http://www.natecarlson.com/linux/ipsec-x509.php). I've set up the
> "roadwarrior" and "roadwarrior-net" connections on both machines, as in his
> instructions. Currently, I can connect from the roadwarrior to the OpenSWAN
> after pinging 1.1.1.1 from 1.1.1.2 (it does say "Negotiating IP Security"
> once or twice, then I get ping replies). However, if I try pinging anything
> on the intranet, then I see "Negotiating IP Security", then Request timed
> out.
Check the openswan end. If you see an error, then the roadwarrior-net
connection is wrong. It should be identical the the conn roadwarrios,
except for the entry for leftsubnet=192.168.1.0/24
If the openswan end logs no error, then you are likely not forwarding the
packets to the internal lan. This could be a disabled IP forwarding setting
or a NAT/MASQ/firewall rule that prohibits or mangles packets. Run ipsec
verify to have a look.
> One thing I am confused about is if OpenSWAN handles all NAT transversal and
> knows how to route traffic to the proper interface on its own, or if iptables
> does need to be set up to do ipmasqing, because that appears to be the
> problem, although I've set up basic ipmasqing and it still does not work
> properly.
So far, you are not using nat_traversal yet, so this should not be an issue.
But the only difference would be adding to config setup:
nat_traversal=yes
virtual_private=%v4:10.0.0.0/24,%v4:192.168.0.0/16;%v4:!192.168.1.0/24
and add to you conns:
rightsubnet=vhost:%no,%priv
Paul
--
"Happiness is never grand"
--- Mustapha Mond, World Controller (Brave New World)
More information about the Users
mailing list