[Openswan Users] VPN is up, routing problem

Ludovic MARCILLY lmarcilly at aressi.fr
Mon Aug 27 10:24:25 EDT 2007 

Hi all,

i have establish a vpn :

Network 1 -- [Linux 1 + Openswan ] ----- [ Linux 2 + Openswan ] -- Network 2

Network 1: 192.168.1.0/24
Linux 1: 192.168.1.1 and 81.23.32.137 gateway 81.23.32.136
Linux 2: 192.168.2.1 and 81.23.32.139 gateway 81.23.32.136
Network 2: 192.168.2.0/24

Here is one ipsec.conf:

version 2

config setup
	interfaces=%defaultroute
	klipsdebug=none
	plutodebug=none
	uniqueids=yes
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.2.0/255.255.255.0,%v4:!10.0.0.0/255.0.0.0,%v4:!192.168.1.0/255.255.255.0,%v4:!172.16.1.0/255.255.0.0,%v4:!192.168.2.0/255.255.255.0

conn %default
	keyingtries=0
	disablearrivalcheck=no

conn TestVPNNSNS
	left=81.23.32.139
	leftnexthop=%defaultroute
	leftsubnet=192.168.2.0/255.255.255.0
	right=81.23.32.137
	rightsubnet=192.168.1.0/255.255.255.0
	rightnexthop=%defaultroute
	ike=aes128-sha-modp1024
	esp=aes128-sha1
	ikelifetime=1h
	keylife=8h
	dpddelay=30
	dpdtimeout=120
	dpdaction=hold
	authby=secret
	auto=start

conn block
	auto=ignore

conn private
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear-or-private
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore


In my logs, i can see "Ipsec SA established" but i can't ping 192.168.1.0/24 networks computers from 192.168.2.0/24 network.

Here is the routing table on Linux 2:

81.23.32.136 0.0.0.0      255.255.255.248 U  0 0 0 eth2
192.168.2.0  0.0.0.0      255.255.255.0   U  0 0 0 eth0
192.168.1.0  81.23.32.138 255.255.255.0   UG 0 0 0 eth2
10.0.0.0     0.0.0.0      255.0.0.0       U  0 0 0 eth1
0.0.0.0      81.23.32.138 0.0.0.0         UG 0 0 0 eth2

I don't paste here the routing table of Linux 1 since it is almost the same thing. (it the same thing for ipsec.conf).

If i add a route which tell that gateway to reach 192.168.1.0/24 network is 81.23.32.137, it works well but i don't want to add the route manually.

Is there any solution to solve my problem ?

Thanks a lot in advance.
Best regards,

Ludovic MARCILLY

More information about the Users mailing list