[Openswan Users] Cannot see opposite subnet from VPN server

Peter McGill petermcgill at goco.net
Thu May 22 10:06:24 EDT 2008 

Arjun,

The route you added on 10.243.102.254 (net 10.249.100.0/24 gw 10.243.102.230) allows communication between 10.243.102.0/24 and
10.249.100.0/24. You need it for this to work.
However, no routes on 10.243.102.254 will affect communication between 10.243.102.230 and 10.249.100.0/24, as the traffic will never
reach 10.243.102.254.
Do you have a different gateway for the 10.249.100.0/24 subnet other than 10.249.100.20, like you do on the 10.243.102.0/24 subnet?
In that case you will need a route on it (10.249.100.?) also, (net 10.243.102.0/24 gw 10.249.100.20).
If that is not the case I suggest the following on 10.243.102.230:
traceroute 10.249.100.20
traceroute 10.249.100.(test host)
Which will indicate where the communication breaks down.


Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

 


________________________________

	From: Arjun Datta [mailto:arjun at greatgulfhomes.com] 
	Sent: May 21, 2008 7:58 PM
	To: Matthew Hall
	Cc: Paul Wouters; users at openswan.org; petermcgill at goco.net
	Subject: Re: [Openswan Users] Cannot see opposite subnet from VPN server
	
	
	Thank you guys - Paul, Peter and Matthew.
	
	I applied the leftsourcip= and rightsourceip= changes advocated and suggested, and I can ping the 10.243.102.x subnet from
the 10.249.100.20 VPN server now.
	
	However I still cannot ping the 10.249.100.x subnet from the 10.243.102.230 VPN server.
	
	Now, the gateway for the 10.243.102.x domain is NOT the 10.243.102.230 machine, the gateway is 10.243.102.254.
	
	I have manually added routes to the latter .254 machine to route all traffic for the 10.249.100.x subnet through the
10.243.102.230 machine (VPN Peer/Server).  Sop I have to tweak something on the .254 machine to allow 10.243.102.230 to ping the
10.249.100 subnet ?
	
	>I have a VPN tunnel established between two subnets: 
	>10.243.102.x - the vpn server is 10.243.102.230 - 2.6.22.9-61.fc6, Linux Openswan U2.4.5/K2.6.22.9-61.fc6 (netkey) 
	>10.249.100.x - the vpn server is 10.249.100.20 -  2.6.23.15-80.fc7, Linux Openswan U2.4.7/K2.6.23.15-80.fc7 (netkey) 
	
	
	Regards,
	 
	Arjun Datta
	
	Matthew Hall wrote: 

		Paul Wouters wrote: 
		

			On Thu, 15 May 2008, Matthew Hall wrote: 
			
			

					I know that one cannot ping the actual vpn server(s) themselves, so the 
					above would be normal. 
					But, it also appears the VPN servers themselves cannot see anything in 
					the opposite subnet.  Is there a way around this ? 
					
					I need to pull something from one machine in the 10.243.102.x subnet 
					onto the 10.249.100.20 machine. 
					

				This will be because when it's pinging the other side, the source 
				address is not in the local range provided by the vpn - ie. it's source 
				address will be whatever the IP is of the interface with your default 
				gateway, so it doesn't get routed over the vpn. 
				
				If you bind the ping to it's 'inside' interface it should work - ie. 
				ping 10.243.102.x -I 10.249.100.20. 
				
				You can workaround this by setting the 'defaultsource' for pluto; on 
				


			A better was is to specify leftsourceip= and rightsourceip= in the conn, 
			Setting it globally would limit you you to do this only on one conn. 
			


		I didn't know that existed - makes my life easier :) 
		
		Thanks Paul. 
		
		Matt

More information about the Users mailing list