[Openswan Users] Local router unable to send packets to remote LAN

lists lists at higgers.me.uk
Thu Dec 20 15:56:10 EST 2007

Ofcourse! It's so obvious when it's explained well! :-)

Many many thanks for telling me how to fix the problem Peter.


Peter McGill wrote:
> Openswan only routes through the tunnel the traffic in specified subnets.
> So if you have leftsubnet= and rightsubnet=,
> then traffic from your router will not use the tunnel, because it
> originates from not This is normal behaviour.
> However, if you add for example leftsourceip= to you conn.
> Assuming your using left for local, then that should use your LAN ip
> for communications from your router to your remote subnet. Thereby
> encrypting your router traffic to the subnet through your IPSec tunnel.
> Peter McGill
>> -----Original Message-----
>> From: users-bounces at openswan.org 
>> [mailto:users-bounces at openswan.org] On Behalf Of lists
>> Sent: December 20, 2007 8:27 AM
>> To: users at openswan.org
>> Subject: [Openswan Users] Local router unable to send packets 
>> to remote LAN
>> Hi All,
>> I've recently configured and IPsec VPN between my OpenSUSE 10.2 router
>> firewall running shorewall 3.4.4 and a friends Draytek Vigor 2930 ADSL
>> modem/router/firewall. All is good other than my router can't ping
>> anything on my friends (remote) LAN, however machines on my 
>> (local) LAN
>> behind the local firewall can ping machines on the remote LAN without
>> problem.
>> The routing table on the route looks like this:
>> dev eth2 proto kernel scope link src
>> dev eth2 proto kernel scope link src
>> via dev eth2
>> dev eth0 proto kernel scope link src
>> dev eth0 scope link
>> dev lo scope link
>>       default via dev eth2
>> Where:
>> is my public IP
>> is my ISP router at the other end of my ADSL line
>> is the local LAN
>> is the remote LAN
>> eth0 is the internal interface
>> eth2 is the external interface
>> If I "ping -I eth0" to force ping requests via the local
>> interface I get responses from the remote address. This also works for
>> any other live IP on the remote LAN. This proves that it's technically
>> possible to access the remote LAN from my router.
>> If I delete the route to the remote LAN via eth2 (external 
>> NIC) and add
>> a new one via the internal NIC then no machines on my local LAN can
>> access the remote LAN. It basically screws the VPN.
>> I use shorewall for firewall/routing duties and have tried 
>> disabling it
>> but it made no difference.
>> I also added what I think are the correct entries to
>> /etc/racoon/setkey.conf but that didn't make any difference.
>> It seems like I need to force all packets destined for the remote LAN
>> that originate on the local router to go via the internal NIC 
>> instead of
>> going via the external NIC. Is that possible? And if so, how?
>> Also, would anyone happen to know if this is normal behaviour? I've
>> configured IPsec VPNs (using FreeS/WAN) under 2.4 in the past 
>> and never
>> had this problem. However, under 2.4 I'm sure the routing table was
>> different because there was a ipsec0 interface involved thus 
>> simplifying
>> the routing table. Well, it might not have simplified it per se but it
>> made would be a lot easier to direct packets for the remote LAN via an
>> interface designed specifically to pick up and push packets for the
>> remote LAN.
>> What am I missing?
>> Kind regards,
>> Steve.
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>> 7?n=283155

More information about the Users mailing list