[Openswan Users] SOLUTION-Clients in the right network are OK but packtes from rightserver misroute

Augusto Pizarro augusto.pizarro at siemconsub.com.br
Wed Feb 7 14:32:48 EST 2007 

THXs,

the solution below:

wen viewing the results from "ip route show" the problem was clear for
me.

-------------------------------------
>From the Right server:
10.20.0.0/16 dev ipsec0 scope link src 192.168.200.100

In the Left Server
10.210.21.0/24 dev ipsec0 scope link src 200.178.78.2
--------------------------------------

Then I tried:
-----------------------------
In the Right Server
ip route change 10.20.0.0/16 dev ipsec0 scope link src 10.210.21.1

In the Left Server
ip route change 10.210.21.0/24 dev ipsec0 scope link src 10.20.10.60
---------------------------

YEHH!!!!! WORKED!!! Now every packet out from the eth0 even packets of
the own server are encrypted.

Then I tried the "rightsourceip" and "leftsourceip". But the
"rightsourceip" must be the INTERNAL ip of the Right Server, and the
"leftsourceip" must be the INTERNAL ip of the Left Server. INIT 6 in all
servers and everything went right with only one tunnel.

Thanks!

Em Qua, 2007-02-07 às 12:17, Paul Wouters escreveu:

> On Wed, 7 Feb 2007, Augusto Pizarro wrote:
> 
> > Server                                            Left
> > Server                                Left Network
> > 10.210.21.0------10.210.21.1/192.168.200.100
> > ---(internet)---200.178.78.1/10.20.10.60-----10.20.0.0
> >                              eth1
> > eth0                                         eth0                 eth1
> 
> > RESUMING: The Right clients are OK bur the Right server itself DONT!!!
> > Really stupid!!
> 
> Try using leftsourceip=
> 
> > In  the IPTRAF I can see "ICMP dest unrch from 10.210.21.1 to
> > 10.210.21.1 on lo" in the Right Server wen trying to ping the Left
> > Server.
> 
> I am not sure how you can not reach 10.210.21.1 from 10.210.21.1. If
> your logs show some error with the "ip route add" command, you might
> need to explicitely set a leftnexthop= value.
> 
> > Maybe I have to create another tunnel just for the traffic from the
> > server to the Left Network.
> 
> If you specify leftsourceip/rightsourceip, that is not needed. Else
> you are correct, and would need to add a host-net, net-host, and host-host
> tunnel.
> 
> Paul


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070207/4ec7d6f1/attachment.html

More information about the Users mailing list