[Openswan Users] Local router unable to send packets to remote LAN

Peter McGill petermcgill at goco.net
Thu Dec 20 10:34:25 EST 2007


Openswan only routes through the tunnel the traffic in specified subnets.
So if you have leftsubnet=192.168.0.0/24 and rightsubnet=192.168.1.0/24,
then traffic from your router will not use the tunnel, because it
originates from 1.2.3.4 not 192.168.0.0/24. This is normal behaviour.

However, if you add for example leftsourceip=192.168.0.1 to you conn.
Assuming your using left for local, then that should use your LAN ip
for communications from your router to your remote subnet. Thereby
encrypting your router traffic to the subnet through your IPSec tunnel.

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of lists
> Sent: December 20, 2007 8:27 AM
> To: users at openswan.org
> Subject: [Openswan Users] Local router unable to send packets 
> to remote LAN
> 
> Hi All,
> 
> I've recently configured and IPsec VPN between my OpenSUSE 10.2 router
> firewall running shorewall 3.4.4 and a friends Draytek Vigor 2930 ADSL
> modem/router/firewall. All is good other than my router can't ping
> anything on my friends (remote) LAN, however machines on my 
> (local) LAN
> behind the local firewall can ping machines on the remote LAN without
> problem.
> 
> The routing table on the route looks like this:
> 
> 
>       1.2.3.0/24 dev eth2 proto kernel scope link src 1.2.3.4
>       10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1
>       192.168.1.0/24 via 1.2.3.1 dev eth2
>       192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
>       169.254.0.0/16 dev eth0 scope link
>       127.0.0.0/8 dev lo scope link
>       default via 1.2.3.1 dev eth2
> 
> 
> 
> Where:
> 1.2.3.4 is my public IP
> 1.2.3.1 is my ISP router at the other end of my ADSL line
> 192.168.0.0/24 is the local LAN
> 192.168.1.0/24 is the remote LAN
> eth0 is the internal interface
> eth2 is the external interface
> 
> If I "ping 192.168.1.1 -I eth0" to force ping requests via the local
> interface I get responses from the remote address. This also works for
> any other live IP on the remote LAN. This proves that it's technically
> possible to access the remote LAN from my router.
> 
> If I delete the route to the remote LAN via eth2 (external 
> NIC) and add
> a new one via the internal NIC then no machines on my local LAN can
> access the remote LAN. It basically screws the VPN.
> 
> I use shorewall for firewall/routing duties and have tried 
> disabling it
> but it made no difference.
> 
> I also added what I think are the correct entries to
> /etc/racoon/setkey.conf but that didn't make any difference.
> 
> It seems like I need to force all packets destined for the remote LAN
> that originate on the local router to go via the internal NIC 
> instead of
> going via the external NIC. Is that possible? And if so, how?
> 
> Also, would anyone happen to know if this is normal behaviour? I've
> configured IPsec VPNs (using FreeS/WAN) under 2.4 in the past 
> and never
> had this problem. However, under 2.4 I'm sure the routing table was
> different because there was a ipsec0 interface involved thus 
> simplifying
> the routing table. Well, it might not have simplified it per se but it
> made would be a lot easier to direct packets for the remote LAN via an
> interface designed specifically to pick up and push packets for the
> remote LAN.
> 
> What am I missing?
> 
> Kind regards,
> 
> Steve.
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155



More information about the Users mailing list