[Openswan Users] subnet-to-subnet VPN, doesn't route how I want

Paul Wouters paul at xelerance.com
Sun Nov 11 11:27:04 EST 2007


On Sun, 11 Nov 2007, Simon Detheridge wrote:

> The connection works fine, apart from one thing. All the machines on
> my local network can ping machines on the remote network, with the
> exception of the server itself. If I try ping 10.0.0.5, I get no
> replies back. However, if I do a ping 10.0.0.5 -I 192.168.2.1, forcing
> 'ping' to bind to the LAN address (instead of the internet address, I
> guess) it works.

leftsourceip-192.168.2.1

> I want packets that originate at the local server to always be able to
> get to the remote network.

That's not how ipsec works. If there is a security association, only that
will be used, and nothing else. So if you want your "nearest" ip (eg the
public one) to be able to talk to 10.0.0.0/24, then you need to add
another tunnel with a left,right and rightsubnet covering that policy.

> I think the normal way to achieve this is to set up a second host ->
> subnet VPN tunnel, for the server in question. I can't do that here
> however, as the sonicwall refuses to set up a second connection to the
> same gateway IP address.

File a bug report with Sonic wall?

> Is there anything I can do with iptables, or routing, that will enable
> me to make this happen?

See above. It will make the user use its internal IP for communicating to
the remote end of the tunnel.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list