[Openswan Users] Cannot see opposite subnet from VPN server
Matthew Hall
matt at castleinthesky.org
Thu May 15 15:51:29 EDT 2008
Arjun Datta wrote:
> I have a VPN tunnel established between two subnets:
> 10.243.102.x - the vpn server is 10.243.102.230 - 2.6.22.9-61.fc6, Linux
> Openswan U2.4.5/K2.6.22.9-61.fc6 (netkey)
> 10.249.100.x - the vpn server is 10.249.100.20 - 2.6.23.15-80.fc7,
> Linux Openswan U2.4.7/K2.6.23.15-80.fc7 (netkey)
>
> I find that:
> I cannot ping anything in the 10.243.102.x subnet from the 10.249.100.20
> machine itself
> I can, obviously, ping anything in the 10.243.102.x subnet from any
> other machine in the 10.249.100.x subnet.
> I can ping 10.249.100.20 from any machine in the 10.243.102.x subnet.
>
> The converse is also true:
> I cannot ping anything in the 10.249.100.x subnet from the
> 10.243.102.230 machine itself
> I can, obviously, ping anything in the 10.249.100.x subnet from any
> other machine in the 10.243.102.x subnet.
> I can ping 10.243.102.230 from any machine in the 10.249.100.x subnet.
>
> I know that one cannot ping the actual vpn server(s) themselves, so the
> above would be normal.
> But, it also appears the VPN servers themselves cannot see anything in
> the opposite subnet. Is there a way around this ?
>
> I need to pull something from one machine in the 10.243.102.x subnet
> onto the 10.249.100.20 machine.
This will be because when it's pinging the other side, the source
address is not in the local range provided by the vpn - ie. it's source
address will be whatever the IP is of the interface with your default
gateway, so it doesn't get routed over the vpn.
If you bind the ping to it's 'inside' interface it should work - ie.
ping 10.243.102.x -I 10.249.100.20.
You can workaround this by setting the 'defaultsource' for pluto; on
RHat/Fedora type systems; add:
DEFAULTSOURCE=$mylocaladdress
to
/etc/sysconfig/pluto_updown
and restart ipsec.
Hope this helps.
Matt
More information about the Users
mailing list