[Openswan Users] Cannot see opposite subnet from VPN server

Arjun Datta arjun at greatgulfhomes.com
Wed May 21 19:58:27 EDT 2008 

Thank you guys - Paul, Peter and Matthew.

I applied the leftsourcip= and rightsourceip= changes advocated and 
suggested, and I can ping the 10.243.102.x subnet from the 10.249.100.20 
VPN server now.

However I still cannot ping the 10.249.100.x subnet from the 
10.243.102.230 VPN server.

Now, the gateway for the 10.243.102.x domain is NOT the 10.243.102.230 
machine, the gateway is 10.243.102.254.

I have manually added routes to the latter .254 machine to route all 
traffic for the 10.249.100.x subnet through the 10.243.102.230 machine 
(VPN Peer/Server).  Sop I have to tweak something on the .254 machine to 
allow 10.243.102.230 to ping the 10.249.100 subnet ?

 >I have a VPN tunnel established between two subnets:
 >10.243.102.x - the vpn server is 10.243.102.230 - 2.6.22.9-61.fc6, 
Linux Openswan U2.4.5/K2.6.22.9-61.fc6 (netkey)
 >10.249.100.x - the vpn server is 10.249.100.20 -  2.6.23.15-80.fc7, 
Linux Openswan U2.4.7/K2.6.23.15-80.fc7 (netkey)

Regards,
 
Arjun Datta

Matthew Hall wrote:
> Paul Wouters wrote:
>> On Thu, 15 May 2008, Matthew Hall wrote:
>>
>>>> I know that one cannot ping the actual vpn server(s) themselves, so 
>>>> the
>>>> above would be normal.
>>>> But, it also appears the VPN servers themselves cannot see anything in
>>>> the opposite subnet.  Is there a way around this ?
>>>>
>>>> I need to pull something from one machine in the 10.243.102.x subnet
>>>> onto the 10.249.100.20 machine.
>>> This will be because when it's pinging the other side, the source
>>> address is not in the local range provided by the vpn - ie. it's source
>>> address will be whatever the IP is of the interface with your default
>>> gateway, so it doesn't get routed over the vpn.
>>>
>>> If you bind the ping to it's 'inside' interface it should work - ie.
>>> ping 10.243.102.x -I 10.249.100.20.
>>>
>>> You can workaround this by setting the 'defaultsource' for pluto; on
>>
>> A better was is to specify leftsourceip= and rightsourceip= in the conn,
>> Setting it globally would limit you you to do this only on one conn.
>
> I didn't know that existed - makes my life easier :)
>
> Thanks Paul.
>
> Matt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080521/56e4a235/attachment.html

More information about the Users mailing list