[Openswan Users] Cannot see opposite subnet from VPN server

Arjun Datta arjun at greatgulfhomes.com
Thu May 22 14:22:47 EDT 2008 

Hi Peter,

10.249.100.20 is the gateway for 10.249.100.0/24.  There is no other gw 
for that subnet

It appears that my communincation breaks down at an external point on an 
external router outside my network:

 From 10.243.102.230:
[root at vpn ~]# traceroute 10.249.100.20
traceroute to 10.249.100.20 (10.249.100.20), 30 hops max, 40 byte packets
 1  216.191.158.97 (216.191.158.97)  3.292 ms  3.116 ms  3.065 ms
 2  209.112.55.121 (209.112.55.121)  1.651 ms  1.654 ms *
 3  * * *
 4  * * *
 5  * * *
..
30  * * *

[root at vpn ~]# traceroute 10.249.100.22 - another static ip on the 
10.249.100.0/24 subnet
traceroute to 10.249.100.22 (10.249.100.22), 30 hops max, 40 byte packets
 1  216.191.158.97 (216.191.158.97)  3.654 ms  3.345 ms  4.666 ms
 2  209.112.55.121 (209.112.55.121)  5.752 ms  6.763 ms *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
...
30  * * *

Does this mean that a router owned by an ISP somewhere is blocking the 
returns ?

Regards,
 
Arjun Datta


Peter McGill wrote:
> Arjun,
>
> The route you added on 10.243.102.254 (net 10.249.100.0/24 gw 10.243.102.230) allows communication between 10.243.102.0/24 and
> 10.249.100.0/24. You need it for this to work.
> However, no routes on 10.243.102.254 will affect communication between 10.243.102.230 and 10.249.100.0/24, as the traffic will never
> reach 10.243.102.254.
> Do you have a different gateway for the 10.249.100.0/24 subnet other than 10.249.100.20, like you do on the 10.243.102.0/24 subnet?
> In that case you will need a route on it (10.249.100.?) also, (net 10.243.102.0/24 gw 10.249.100.20).
> If that is not the case I suggest the following on 10.243.102.230:
> traceroute 10.249.100.20
> traceroute 10.249.100.(test host)
> Which will indicate where the communication breaks down.
>
>
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited 
>
>  
>
>
> ________________________________
>
> 	From: Arjun Datta [mailto:arjun at greatgulfhomes.com] 
> 	Sent: May 21, 2008 7:58 PM
> 	To: Matthew Hall
> 	Cc: Paul Wouters; users at openswan.org; petermcgill at goco.net
> 	Subject: Re: [Openswan Users] Cannot see opposite subnet from VPN server
> 	
> 	
> 	Thank you guys - Paul, Peter and Matthew.
> 	
> 	I applied the leftsourcip= and rightsourceip= changes advocated and suggested, and I can ping the 10.243.102.x subnet from
> the 10.249.100.20 VPN server now.
> 	
> 	However I still cannot ping the 10.249.100.x subnet from the 10.243.102.230 VPN server.
> 	
> 	Now, the gateway for the 10.243.102.x domain is NOT the 10.243.102.230 machine, the gateway is 10.243.102.254.
> 	
> 	I have manually added routes to the latter .254 machine to route all traffic for the 10.249.100.x subnet through the
> 10.243.102.230 machine (VPN Peer/Server).  Sop I have to tweak something on the .254 machine to allow 10.243.102.230 to ping the
> 10.249.100 subnet ?
> 	
> 	>I have a VPN tunnel established between two subnets: 
> 	>10.243.102.x - the vpn server is 10.243.102.230 - 2.6.22.9-61.fc6, Linux Openswan U2.4.5/K2.6.22.9-61.fc6 (netkey) 
> 	>10.249.100.x - the vpn server is 10.249.100.20 -  2.6.23.15-80.fc7, Linux Openswan U2.4.7/K2.6.23.15-80.fc7 (netkey) 
> 	
> 	
> 	Regards,
> 	 
> 	Arjun Datta
> 	
> 	Matthew Hall wrote: 
>
> 		Paul Wouters wrote: 
> 		
>
> 			On Thu, 15 May 2008, Matthew Hall wrote: 
> 			
> 			
>
> 					I know that one cannot ping the actual vpn server(s) themselves, so the 
> 					above would be normal. 
> 					But, it also appears the VPN servers themselves cannot see anything in 
> 					the opposite subnet.  Is there a way around this ? 
> 					
> 					I need to pull something from one machine in the 10.243.102.x subnet 
> 					onto the 10.249.100.20 machine. 
> 					
>
> 				This will be because when it's pinging the other side, the source 
> 				address is not in the local range provided by the vpn - ie. it's source 
> 				address will be whatever the IP is of the interface with your default 
> 				gateway, so it doesn't get routed over the vpn. 
> 				
> 				If you bind the ping to it's 'inside' interface it should work - ie. 
> 				ping 10.243.102.x -I 10.249.100.20. 
> 				
> 				You can workaround this by setting the 'defaultsource' for pluto; on 
> 				
>
>
> 			A better was is to specify leftsourceip= and rightsourceip= in the conn, 
> 			Setting it globally would limit you you to do this only on one conn. 
> 			
>
>
> 		I didn't know that existed - makes my life easier :) 
> 		
> 		Thanks Paul. 
> 		
> 		Matt 
> 		
> 		
>
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080522/04c01da6/attachment.html

More information about the Users mailing list