[Openswan Users] Multiple VPN connections, possible routing issue?
Paul Wouters
paul at xelerance.com
Thu Mar 29 14:15:49 EDT 2007
On Thu, 29 Mar 2007, Alan Murrell wrote:
> We have one main site and three remote ones. We are only interested in having
> the remote sites talk to the main site and not (yet) have the various sites
> talking to each other.
>
> Here is what we have so far:
>
> main site: 10.175.0.0/24
> site1: 10.175.1.0/24
> site2: 10.175.2.0/24
> site3: 10.175.3.0/24
>
> (the above are the private LAN subnets of each site). OpenSWAN is running on
> the firewall machines at each site (Soekris boxen running identical Debian
> images and IPTables)
>
> We have the site-to-site VPN working perfectly between the main site and site1
> (traffic going both ways, able to ping hosts on either side from the two
> subnets, access services, connect to hosts/PCS, etc.)
>
> With regards to the other sites (site2 and site3)....
>
> - The tunnels do get established
> - From the remote site gateways I am able to ping the hosts/PCs on the main
> site's subnet but cannot access services
Sounds like an MTU issue. Lower the external MTU on all sites to 1472 and see
if that fixes it.
> - From the main site's gateway and LAN I am able to ping the private IP of
> the remote sites' gateway (10.175.xxx.254)
> - From the main site's gateway and LAN I am unable to ping any hosts/PCs
> beyond the remote sites' gateway (with one exception: I am able to ping one
> host on the 10.175.3.0/24 subnet, but cannot connect to it, though I can if I
> am on the local subnet)
Since the images are "identical", the only thing I could image is if those
machines do not use the VPN as their default gateway, and are routing their
packetrs differently internally. Run tcpdump to find out what is going on?
> - The site2 and site3 routing and IPTables rules are *identical* to that of
> site1 (which is wroking 100%). Of course the only difference with the
> routing tables are the local subnets and ISP gateways.
Are you sure you didnt change the /proc value for ip_forwarding on site1 after
you started it, so it is different from site2/3 ?
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list