[Openswan Users] one way tunnel
Bruce Ferrell
bferrell at baywinds.org
Thu Jun 21 10:15:44 EDT 2007
Peter McGill wrote:
>>-----Original Message-----
>>Date: Wed, 20 Jun 2007 09:37:54 -0700
>>From: Bruce Ferrell <bferrell at baywinds.org>
>>Subject: [Openswan Users] one way tunnel
>>To: users at openswan.org
>>
>>I'm new to openswan and I've been digging through the available
>>documentation for the last week for a problem that is making me nuts.
>>
>>I'm trying to do a subnet-subnet tunnel and can from the
>>right subnet to
>>the left subnet but I can't ping from the left to the right.
>>Is there
>>something wrong in the config below?
>>
>>Thanks in advance
>>
>>conn NYCPOP
>> auth=esp
>> authby=secret
>> auto=start
>> esp=3des-sha1
>> ike=3des-sha1
>> keyexchange=ike
>> keyingtries=0
>> left=66.92.17.98
>> leftid=@bruce
>> leftsubnet=192.0.2.0/24
>> pfs=no
>> right=64.74.247.1
>> rightid=@0006B138EF44
>> rightsubnet=192.168.10.0/24
>> type=tunnel
>
>
> Are you sure your leftsubnet is 192.0.2.0/24, 192.168.2.0/24 makes more sense.
>
> Otherwise, looks fine, tunnels work both ways, so I would guess you likely
> Have a firewall problem dropping the packets.
> Make sure you have firewall rules in iptables to allow the
> Private traffic from the other site.
>
> Do you have openswan on both sides or just one side?
> If one which side and what is on the other side?
>
> Are you pinging from a host on the subnet or from the ipsec router?
> If from the router add leftsourceip=192.0.2.? (router lan ip.) and
> rightsourceip=192.168.10.? (other router lan ip)
>
> ipsec --version should tell you if your using klips or netkey (native),
> ipsec in the kernel. You need to know this because the firewall rules
> Differ depending on which.
>
> Be sure to add FORWARD and possibly INPUT rules for -s 192.0.2.0/24 (or 192.168.2.0/24).
>
> Peter
Only one side is openswan. The other is a sonicwall firewall appliance.
ipsec --version says I'm using netkey. what might the ruls look like
for my masquerade firewall? I didn't need them when I used a cipe
tunnel before.
Thanks for you help
Bruce
More information about the Users
mailing list