[Openswan Users] one way tunnel

Bruce Ferrell bferrell at baywinds.org
Thu Jun 21 10:15:44 EDT 2007



Peter McGill wrote:
>>-----Original Message-----
>>Date: Wed, 20 Jun 2007 09:37:54 -0700
>>From: Bruce Ferrell <bferrell at baywinds.org>
>>Subject: [Openswan Users] one way tunnel
>>To: users at openswan.org
>>
>>I'm new to openswan and I've been digging through the available 
>>documentation for the last week for a problem that is making me nuts.
>>
>>I'm trying to do a subnet-subnet tunnel and can from the 
>>right subnet to 
>>the left subnet but I can't ping from the left to the right.  
>>Is there 
>>something wrong in the config below?
>>
>>Thanks in advance
>>
>>conn NYCPOP
>>         auth=esp
>>         authby=secret
>>         auto=start
>>         esp=3des-sha1
>>         ike=3des-sha1
>>         keyexchange=ike
>>         keyingtries=0
>>         left=66.92.17.98
>>         leftid=@bruce
>>         leftsubnet=192.0.2.0/24
>>         pfs=no
>>         right=64.74.247.1
>>         rightid=@0006B138EF44
>>         rightsubnet=192.168.10.0/24
>>         type=tunnel
> 
> 
> Are you sure your leftsubnet is 192.0.2.0/24, 192.168.2.0/24 makes more sense.
> 
> Otherwise, looks fine, tunnels work both ways, so I would guess you likely
> Have a firewall problem dropping the packets.
> Make sure you have firewall rules in iptables to allow the
> Private traffic from the other site.
> 
> Do you have openswan on both sides or just one side?
> If one which side and what is on the other side?
> 
> Are you pinging from a host on the subnet or from the ipsec router?
> If from the router add leftsourceip=192.0.2.? (router lan ip.) and
> rightsourceip=192.168.10.? (other router lan ip)
> 
> ipsec --version should tell you if your using klips or netkey (native),
> ipsec in the kernel. You need to know this because the firewall rules
> Differ depending on which.
> 
> Be sure to add FORWARD and possibly INPUT rules for -s 192.0.2.0/24 (or 192.168.2.0/24).
> 
> Peter

Only one side is openswan.  The other is a sonicwall firewall appliance. 
  ipsec --version says I'm using netkey.  what might the ruls look like 
for my masquerade firewall?  I didn't need them when I used a cipe 
tunnel before.

Thanks for you help

Bruce




More information about the Users mailing list