[Openswan Users] Could I expect this to work in my LAN

Brett Curtis dashnu.mutt at gmail.com
Thu Feb 8 15:51:32 EST 2007 

Paul,

It is working fine. That conn I showed was all screwed up because i was
testing inside my LAN.

here is my working conn to nail up my two subnets.

tcpdump shows all traffic like so:

15:44:09.203303 IP port-63-XX-XX-XX.bar.net >
defender.domain.net: ESP(spi=0x72d1a053,seq=0x6), length 132

conn portland-knowtech
       type=tunnel
       authby=rsasig
       left=63.XX.XX.XX
       leftsubnet=172.18.187.0/24
       leftid=@knowtech.bar.net
       leftrsasigkey=0sAQPTzMXXXXXXXXXXXXXXXXXX
       leftnexthop=%defaultroute
       right=24.XX.XX.XX
       rightsubnet=172.17.187.0/24
       rightid=@port.foo.net
       rightrsasigkey=0sAQNrXXXXXXXXXXXXXXXX
       rightnexthop=%defaultroute
       rekey=yes
       auto=add

My network...

[172.17.187.0/24] -eth1- [PORTLAND OPENSWAN] eth0 <----INTERNET----> eth0 [KNOWTECH OPENSWAN] -eth1- [172.18.187.0/24]

I however I can only ping host from inside the LAN the gateways will not talk
back and forth via internal IPs. I am going to check out left & rightsrcip
you mentioned in another post. Should these be my internal IPs or External ?

Thanks

On 21:28 Thu 08 Feb     , Paul Wouters wrote:
> On Thu, 8 Feb 2007, Brett Curtis wrote:
> 
> > I was actually able to test this conn with an external machine. Works fine..
> > Only thing I had to change was my firewall masquerade line to exclude the
> > remote subnet. and visa versa..
> 
> I dount traffic is getting encrypted. If hosts know where to find 172.17.187.1
> then they also know how to find 172.17.187.0/24, and wont use the ipsec tunnel.
> 
> > On 13:49 Thu 08 Feb     , Brett Curtis wrote:
> > > I am testing a conn currently inside my LAN. This is the config
> > >
> > > conn portland-tenn
> > >        type=tunnel
> > >        authby=rsasig
> > >        left=172.17.187.225
> > >        leftsubnet=172.19.187.0/24
> > >        leftid=@tenn.remote.net
> > >        leftrsasigkey=0sAQOdXXXXXXXXXXXXXXXX
> > >        leftnexthop=%defaultroute
> > >        right=172.17.187.1
> > >        rightsubnet=172.17.187.0/24
> > >        rightid=@port.local.net
> > >        rightrsasigkey=0sAQNXXXXXXXXXXXXXXXXXX
> > >        rightnexthop=%defaultroute
> > >        rekey=yes
> > >        auto=add
> > >
> > > I use the same conn for both sides. What I am hoping for is the ability to
> > > ping 172.19.187.1 from right. I can not. The connection starts up fine but I
> > > do not see any added routes in my routing table.
> > >
> > > Do I need to add my own routes? Or am I just way off thinking this will work?
> > >
> > > Eventually this machine will be external and from each subnet I will want to
> > > reach the other subnet over the tunnel.
> > >
> > > TIA
> > > --
> > >
> > > Created with VIM & mutt.
> > >
> > > "First things first -- but not necessarily in that order"
> > > 		-- The Doctor, "Doctor Who"
> >
> >
> 
> -- 
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-- 

Created with VIM & mutt.

<cesarb> Damn, every time I spawn, qf-client-x11 locks hard
<Zoid> Don't die?
<Knghtbrd> good incentive.

More information about the Users mailing list