[Openswan Users] Netscreen to Openswan

Paul Wouters paul at xelerance.com
Sun Oct 21 21:13:04 EDT 2007


On Sun, 21 Oct 2007, zyx at shells.nl wrote:

> Oct 21 01:45:12 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x8ab48939 <0x050ada65 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
>
> Now when i login to siteA and try to ping the private subnet of siteB the packets get dropped by the default gateway of siteA.
> Tcpdump confirms that there are no packets flowing in when i do a ping. This also happens vice versa.
>
> Somehow the packet are not transported trough the tunnel, but instead they are send to the default gateway.

The machines behind the gateway are not aware of the tunnel. If the
default gateway is the vpn server, then they just send the packets the
right way. If the vpn server is not the gateway, then you will need
to give those machines routes for the tunneled subnets to the local
ipsec gateway.

> I played with freeswan ages ago and seem to remember that there should be a tunnel interface? ifconfig -a doesn't list any ...

That's normal when using the NETKEY interface.

Paul


More information about the Users mailing list