[Openswan Users] subnet-to-subnet conn. problem

Burak Öztürk burakozturk at gmail.com
Fri Jan 4 08:28:57 EST 2008 

Hi All,

I have a subnet-to-subnet vpn connection like this

subnet1 10.10.0.0/16
    |
    |
(eth0) 10.10.1.1 |
    |
linux(SLES10.1)
    |
(eth1) 10.0.0.7
    |
    |
  switch <-> 10.1.1.1 <-> DSL Modem <-> Internet
    |
    |
(eth1) 10.0.0.5
    |
linux(SLES10.1)
    |
eth0 10.20.1.1
    |
    |
subnet2 10.20.0.0/16

My ipsec.conf like this

#ipsec.conf starts
version 2.0

config setup
        interfaces=%defaultroute

conn %default
        authby=rsasig
        type=tunnel

conn net1-net2
        left=10.0.0.7
        leftsubnet=10.10.0.0/16
        leftid=@left
        leftsourceip=10.10.1.1
        leftrsasigkey=0sAQO...
        leftnexthop=10.1.1.1
        right=10.0.0.5
        rightsubnet=10.20.0.0/16
        rightid=@right
        rightsourceip=10.20.1.1
        rightrsasigkey=0sAQN...
        rightnexthop=10.1.1.1
        auto=start

include /etc/ipsec.d/examples/no_oe.conf
#ipsec.conf ends

Also I have SuSEfirewall2 and its configuration like this

FW_DEV_EXT=eth1
FW_DEV_INT=eth0
FW_ROUTE=yes
FW_MASQUERADE=no
FW_SERVICES_EXT_UDP=ipsec-nat-t isakmp
FW_SERVICES_EXT_IP=esp
FW_SERVICES_INT_UDP=ipsec-nat-t isakmp
FW_SERVICES_INT_IP=esp
FW_FORWARD=10.10.0.0/16,10.20.0.0/16,,,ipsec /
10.20.0.0/16,10.10.0.0/16,,,ipsec #for left
FW_ALLOW_CLASS_ROUTING=yes
FW_IPSEC_TRUST=int

I think my vpn connection works correctly
#ipsec auto --status
"net1-net2":
10.10.0.0/16===10.0.0.7[@left.domain]---10.1.1.1...10.1.1.1---10.0.0.5[@right.domain]===10.20.0.0/16;
erouted; eroute owner: #4

My problem is;
i can not ping "10.1.1.1" from a subnet machine (for example 10.10.1.2) so i
can not connect to the internet from subnets.

when i use masquerading
FW_MASQUERADE=yes
FW_MASQ_NETS=10.10.0.0/16 #for left

my vpn connection dies but i have a internet connection. for example
- i can not ping "10.20.1.2" from "10.10.1.2"
- i can ping "10.20.1.1" from "10.10.1.2"
- i can ping "10.20.1.1" from "10.10.1.1"
- i can ping "10.1.1.1" from "10.10.1.2"

How can handle this ? Should I trun off masquerading and use squid ?

Any suggestions ?

Thanks a lot..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080104/169e3bed/attachment.html

More information about the Users mailing list