[Openswan Users] Re-4: VPN is up, routing problem

Peter McGill petermcgill at goco.net
Tue Aug 28 10:04:39 EDT 2007 

Allow me to suggest something.
Looking back at your original message, your network is as follows:

> Network 1 -- [Linux 1 + Openswan ] ----- [ Linux 2 + Openswan ] -- Network 2
> 
> Network 1: 192.168.1.0/24
> Linux 1: 192.168.1.1 and 81.23.32.137 gateway 81.23.32.136
> Linux 2: 192.168.2.1 and 81.23.32.139 gateway 81.23.32.136
> Network 2: 192.168.2.0/24

> conn TestVPNNSNS
> 	left=81.23.32.139
> 	leftnexthop=%defaultroute
> 	leftsubnet=192.168.2.0/255.255.255.0
> 	right=81.23.32.137
> 	rightsubnet=192.168.1.0/255.255.255.0
> 	rightnexthop=%defaultroute

> Here is the routing table on Linux 2:
> 
> 81.23.32.136 0.0.0.0      255.255.255.248 U  0 0 0 eth2
> 192.168.2.0  0.0.0.0      255.255.255.0   U  0 0 0 eth0
> 192.168.1.0  81.23.32.138 255.255.255.0   UG 0 0 0 eth2
> 10.0.0.0     0.0.0.0      255.0.0.0       U  0 0 0 eth1
> 0.0.0.0      81.23.32.138 0.0.0.0         UG 0 0 0 eth2

The 192.168.1.0/24 route to 81.23.32.138 route is added by openswan as part of the vpn setup.
This is normal, comes from the conf, rightsubnet and *nexthop.
Your *nexthop is set to %defaultroute, so it is take from your default route which is:
0.0.0.0/0 81.23.32.138
This is normal and correct for most VPN setups which connect over the internet.
But it looks like your testing locally with your own public ips at one site.
81.23.32.136/29
So the *nexthop is not your internet gateway in this case since your openswan's are on same network.
They communicate direct, so I suggest this changes to your conf's:

conn TestVPNNSNS
	left=81.23.32.139
	leftnexthop=81.23.32.139
	leftsubnet=192.168.2.0/255.255.255.0
	right=81.23.32.137
	rightsubnet=192.168.1.0/255.255.255.0
	rightnexthop=81.23.32.137

That might do the trick for you, but when you setup a VPN over internet go back to normal method.

Peter McGill
 

> -----Original Message-----
> From: users-bounces at www.openswan.org 
> [mailto:users-bounces at www.openswan.org] On Behalf Of Ludovic MARCILLY
> Sent: August 28, 2007 3:58 AM
> To: users at www.openswan.org
> Subject: [Openswan Users] Re-4: VPN is up, routing problem
> 
> Ok, thanks for your answer.
> 
> 
> > On Mon, 27 Aug 2007, Ludovic MARCILLY wrote:
> > 
> > > Yes i know, but the route for 192.168.1.0/24 subnet is 
> added when vpn is up.
> > >  Why does it add this route ?
> > 
> > To catch packets when using KLIPS instead of NETKEY.
> > 
> > Paul
> 
> I'm using netkey, so i have to change my updown script to 
> delete the route ?
> 
> Thanks in advance.
> 
> Ludovic.
> 
> To: paul at xelerance.com
> Cc: users at openswan.org
> 
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list