[Openswan Users] We can NOT ping from the firewall, But can ping from LAN Pcs.

Peter McGill petermcgill at goco.net
Tue Dec 9 09:21:12 EST 2008


Ruben Laban wrote:
> On Tuesday 09 December 2008 at 07:28 (CET), Indunil Jayasooriya wrote:
>>> In your openswan connection definitions you need to use
>>> left/rightsource=internal.ip.of.firewall, so that the firewall
>>> communicates to the remote end using an ip thats within your
>>> left/rightsubnet definition.
>> Thanks for your reply.  Pls see below ipsec.con file
>>
>> where left=1.2.3.4 and  right=5.6.7.8 are real ips of both sides.
>> left=1.2.3.4 - This is OUR end
>> right=5.6.7.8 - This is REMOTE end
>>
>> # basic configuration
>> config setup
>>       interfaces=%defaultroute
>>       # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>>       klipsdebug=all
>>       plutodebug=all
>>       nat_traversal=yes
>>
>> conn tunnelipsec1
>>       type=tunnel
>>       left=1.2.3.4
>>       leftsubnet=192.168.1.0/24
>>       right=5.6.7.8
>>       rightsubnet=196.4.49.0/24
>>       esp=3des
>>       authby=secret
>>       keyexchange=ike
>>       pfs=no
>>       auto=start
> 
> Assuming your end has both 1.2.3.4 and 192.168.1.1, add the following line to 
> your "conn tunnelipsec1" section:
> 	leftsourceip=192.168.1.1
> 
> Change ip if needed ofcourse.

Exactly, and for your own good, turn off klips&plutodebug...
	#klipsdebug=none
	#plutodebug=none

Peter


More information about the Users mailing list