[Openswan Users] Cannot see opposite subnet from VPN server
petermcgill at goco.net
Thu May 22 10:06:24 EDT 2008
The route you added on 10.243.102.254 (net 10.249.100.0/24 gw 10.243.102.230) allows communication between 10.243.102.0/24 and
10.249.100.0/24. You need it for this to work.
However, no routes on 10.243.102.254 will affect communication between 10.243.102.230 and 10.249.100.0/24, as the traffic will never
Do you have a different gateway for the 10.249.100.0/24 subnet other than 10.249.100.20, like you do on the 10.243.102.0/24 subnet?
In that case you will need a route on it (10.249.100.?) also, (net 10.243.102.0/24 gw 10.249.100.20).
If that is not the case I suggest the following on 10.243.102.230:
traceroute 10.249.100.(test host)
Which will indicate where the communication breaks down.
IT Systems Analyst
Gra Ham Energy Limited
From: Arjun Datta [mailto:arjun at greatgulfhomes.com]
Sent: May 21, 2008 7:58 PM
To: Matthew Hall
Cc: Paul Wouters; users at openswan.org; petermcgill at goco.net
Subject: Re: [Openswan Users] Cannot see opposite subnet from VPN server
Thank you guys - Paul, Peter and Matthew.
I applied the leftsourcip= and rightsourceip= changes advocated and suggested, and I can ping the 10.243.102.x subnet from
the 10.249.100.20 VPN server now.
However I still cannot ping the 10.249.100.x subnet from the 10.243.102.230 VPN server.
Now, the gateway for the 10.243.102.x domain is NOT the 10.243.102.230 machine, the gateway is 10.243.102.254.
I have manually added routes to the latter .254 machine to route all traffic for the 10.249.100.x subnet through the
10.243.102.230 machine (VPN Peer/Server). Sop I have to tweak something on the .254 machine to allow 10.243.102.230 to ping the
10.249.100 subnet ?
>I have a VPN tunnel established between two subnets:
>10.243.102.x - the vpn server is 10.243.102.230 - 18.104.22.168-61.fc6, Linux Openswan U2.4.5/K22.214.171.124-61.fc6 (netkey)
>10.249.100.x - the vpn server is 10.249.100.20 - 126.96.36.199-80.fc7, Linux Openswan U2.4.7/K188.8.131.52-80.fc7 (netkey)
Matthew Hall wrote:
Paul Wouters wrote:
On Thu, 15 May 2008, Matthew Hall wrote:
I know that one cannot ping the actual vpn server(s) themselves, so the
above would be normal.
But, it also appears the VPN servers themselves cannot see anything in
the opposite subnet. Is there a way around this ?
I need to pull something from one machine in the 10.243.102.x subnet
onto the 10.249.100.20 machine.
This will be because when it's pinging the other side, the source
address is not in the local range provided by the vpn - ie. it's source
address will be whatever the IP is of the interface with your default
gateway, so it doesn't get routed over the vpn.
If you bind the ping to it's 'inside' interface it should work - ie.
ping 10.243.102.x -I 10.249.100.20.
You can workaround this by setting the 'defaultsource' for pluto; on
A better was is to specify leftsourceip= and rightsourceip= in the conn,
Setting it globally would limit you you to do this only on one conn.
I didn't know that existed - makes my life easier :)
More information about the Users