[Openswan Users] Routing over NAT

Tobias Hadem th at lt-ec.de
Mon Oct 23 09:28:17 EDT 2006 

Hello List,

i have a working tunnel to an IPCop-Gateway, which is also running Openswan, 
but in a rather old version Openswan 1.0.10rc2. This is unfortunately not 
changeable and i don't think it is a problem, as my problem occurs also on 
other gateways with OS 2.4.6.

The tunnel comes up as said but routing is not working correctly.

Setup:


Directly connected IPCop:

172.23.0.0/16===xxx.xxx.xxx.xxx---213.221.90.95...213.221.90.95---%any===172.50.0.0/16

Nat-ted Openswan:

172.50.0.0/16===192.168.1.20---192.168.1.1...192.168.1.1---xxx.xxx.xxx.xxx===172.23.0.0/16

I think that is ok, as the Nat-ted Openswan has to be %any in the config and 
it inserts it private ip-space-address in the description.

the openswan has two network-cards, one with the 192.168.1.20 to the 
nat-router with 192.168.1.1, the other one with the 172.50.1.1 into the lan.

the routing comes up as this:

Openswan:

192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.20
172.50.0.0/16 dev eth0  proto kernel  scope link  src 172.50.1.1
172.23.0.0/16 dev eth1
default via 192.168.1.1 dev eth1


IPCop:

172.50.0.0/16 via 213.221.90.95 dev ipsec0
172.23.0.0/16 dev eth0  proto kernel  scope link  src 172.23.1.16
default via 213.221.90.95 dev ppp0


i think there misses some "src 172.50.1.1"-options on the routing on openswan, 
but if i insert it manually after the tunnel has been established with "ip r 
d 172.23.0.0/16 dev eth1 && ip r a 172.23.0.0/16 dev eth1 proto kernel scope 
link src 172.50.1.1", no ping is possible.

To make it even more stranger, pinging and working from the IPCop-Side is 
working flawlessly, i can connect to any host inside the 172.50.0.0/16-space.

anybody an idea? 

my ipsec.conf:



version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        #klipsdebug=all
        #plutodebug=all
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,
%v4:!10.0.0.0/255.255.0.0,%v4:!172.16.0.0/255.255.0.0,
%v4:!192.168.1.0/255.255.255.0,%v4:192.168.100.0/24,%v4:172.23.0.0/16
# Add connections here

conn net-to-net
        left=212.6.250.27
        leftsubnet=172.23.0.0/16
        leftnexthop=%defaultroute
        right=192.168.1.20
        rightsubnet=172.50.0.0/16
        rightnexthop=%defaultroute
        auto=start
        authby=secret



Thanks for any pointer,

Tobi
-- 
--------------------------------------------------------- 
Tobias Hadem                            th at lt-ec.de
LT-ec service & solutions               http://www.lt-ec.de
fon +49 (0)911 97791355                 fax +49 (0)911 97791358
Benno-Strauss-Strasse 5                 D-90763 Fürth/Bay.

new thinking for a new era in Fürth - Berlin - Seattle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061023/5d620141/attachment.bin

More information about the Users mailing list