[Openswan Users] Cannot see opposite subnet from VPN server

Peter McGill petermcgill at goco.net
Thu May 22 10:06:24 EDT 2008


The route you added on (net gw allows communication between and You need it for this to work.
However, no routes on will affect communication between and, as the traffic will never
Do you have a different gateway for the subnet other than, like you do on the subnet?
In that case you will need a route on it (10.249.100.?) also, (net gw
If that is not the case I suggest the following on
traceroute 10.249.100.(test host)
Which will indicate where the communication breaks down.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 



	From: Arjun Datta [mailto:arjun at greatgulfhomes.com] 
	Sent: May 21, 2008 7:58 PM
	To: Matthew Hall
	Cc: Paul Wouters; users at openswan.org; petermcgill at goco.net
	Subject: Re: [Openswan Users] Cannot see opposite subnet from VPN server
	Thank you guys - Paul, Peter and Matthew.
	I applied the leftsourcip= and rightsourceip= changes advocated and suggested, and I can ping the 10.243.102.x subnet from
the VPN server now.
	However I still cannot ping the 10.249.100.x subnet from the VPN server.
	Now, the gateway for the 10.243.102.x domain is NOT the machine, the gateway is
	I have manually added routes to the latter .254 machine to route all traffic for the 10.249.100.x subnet through the machine (VPN Peer/Server).  Sop I have to tweak something on the .254 machine to allow to ping the
10.249.100 subnet ?
	>I have a VPN tunnel established between two subnets: 
	>10.243.102.x - the vpn server is -, Linux Openswan U2.4.5/K2.6.22.9-61.fc6 (netkey) 
	>10.249.100.x - the vpn server is -, Linux Openswan U2.4.7/K2.6.23.15-80.fc7 (netkey) 
	Arjun Datta
	Matthew Hall wrote: 

		Paul Wouters wrote: 

			On Thu, 15 May 2008, Matthew Hall wrote: 

					I know that one cannot ping the actual vpn server(s) themselves, so the 
					above would be normal. 
					But, it also appears the VPN servers themselves cannot see anything in 
					the opposite subnet.  Is there a way around this ? 
					I need to pull something from one machine in the 10.243.102.x subnet 
					onto the machine. 

				This will be because when it's pinging the other side, the source 
				address is not in the local range provided by the vpn - ie. it's source 
				address will be whatever the IP is of the interface with your default 
				gateway, so it doesn't get routed over the vpn. 
				If you bind the ping to it's 'inside' interface it should work - ie. 
				ping 10.243.102.x -I 
				You can workaround this by setting the 'defaultsource' for pluto; on 

			A better was is to specify leftsourceip= and rightsourceip= in the conn, 
			Setting it globally would limit you you to do this only on one conn. 

		I didn't know that existed - makes my life easier :) 
		Thanks Paul. 

More information about the Users mailing list