[Openswan Users] openswan with a virtual ethernet

ACasella antony.casella at sand.com
Mon May 28 13:11:18 EDT 2007

I am having quite some trouble trying to set up openswan using 2
differently configured servers.

Server 1 is a RH9 2.4 kernel machine with 2 physical ethernet adapters
eth0 and eth1.  This server has a public IP and a subnet behind it with
the value of on eth1
Linux Openswan 1.0.3

Server 2 is a FC6 2.6 kernel machine with a single ethernet card
(eth0) .  I am adding a virtual ethernet by using the "ifconfig eth0:1" command.  This server does not have a subnet behind it but
does have a public IP address.
Linux Openswan U2.4.5/K2.6.20-1.2948.fc6 (netkey)

I can successfully setup a host to host connection and this can be
verified by seeing the ESP packets with tcpdump when I ping External IP
to External IP.  

I cannot however see any packets trying to ping from a client on the
subnet of server1 to the fake eth0:1 ip or vice versa.  

I have tried various combinations of in my .conf file.  Mt current .conf
file looks like:

conn net-to-net

I tried changing rightnexthop to and the connection fails
(no route).  My iptables have the following for each respective server:

-A POSTROUTING -s -o eth0 -d ! -j
-A INPUT -p tcp -m tcp --dport 50 --syn -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51 --syn -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT

-A POSTROUTING -s -o eth0  -d !
-A INPUT -p 50 -j ACCEPT
-A INPUT -p 51 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT

I have net.ipv4.ip_forward = 1 in sysctl.conf

Is this scenario even possible?

Perhaps my logic in the setup is flawed as all I want to do is use
server 2 as a remote proxy server for various ports and protocols for
the clients behind server1.  We want to have all traffic encrypted from
the clients behind server1 to server2.

I looked through the archives of this list but I may not know the
correct nomenclature of what i am trying to achieve so I apologize if
this question has been asked before.

Thank you

Antony Casella

More information about the Users mailing list