[Openswan Users] subnet-to-subnet VPN, doesn't route how I want

Paul Wouters paul at xelerance.com
Sun Nov 11 11:27:04 EST 2007

On Sun, 11 Nov 2007, Simon Detheridge wrote:

> The connection works fine, apart from one thing. All the machines on
> my local network can ping machines on the remote network, with the
> exception of the server itself. If I try ping, I get no
> replies back. However, if I do a ping -I, forcing
> 'ping' to bind to the LAN address (instead of the internet address, I
> guess) it works.


> I want packets that originate at the local server to always be able to
> get to the remote network.

That's not how ipsec works. If there is a security association, only that
will be used, and nothing else. So if you want your "nearest" ip (eg the
public one) to be able to talk to, then you need to add
another tunnel with a left,right and rightsubnet covering that policy.

> I think the normal way to achieve this is to set up a second host ->
> subnet VPN tunnel, for the server in question. I can't do that here
> however, as the sonicwall refuses to set up a second connection to the
> same gateway IP address.

File a bug report with Sonic wall?

> Is there anything I can do with iptables, or routing, that will enable
> me to make this happen?

See above. It will make the user use its internal IP for communicating to
the remote end of the tunnel.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list