[Openswan Users] VPN to VPN routing problem

Peter McGill petermcgill at goco.net
Fri May 30 15:21:37 EDT 2008 

Roland,

This is probably due to a misconfiguration on the 192.168.3.0/24 vpn gateway machine.
Typically it is caused by:
Masquerading the lan traffic to the internet and IPSec traffic is not exempted.
ie) If you have iptables -t nat -A POSTROUTING -o eth1 -s 192.168.3.0/24 -j MASQUERADE
Insert these before:
iptables -t nat -I POSTROUTING -o eth1 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -o eth1 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT

If that is not the case, you can send an ipsec barf, then I can review it for other possible causes.
ipsec barf > ipsec_barf.txt
It will contain a lot of useful information for debugging your ipsec connections.
Your private/secret keys however are not listed for security.
Attach the whole file and email me directly, rather than sending the big file to the list.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Roland Plüss
> Sent: May 30, 2008 2:53 PM
> To: users at openswan.org
> Subject: [Openswan Users] VPN to VPN routing problem
> 
> I've got here a bit a particular setup and somehow can't get 
> everything 
> to work as it should. First a little drawing of what we have.
> 
> [ 192.168.2.0/24 ] <-> [ gateway at 192.168.2.1 ] <- - VPN - 
> internet - 
> -> [ gateway at 192.168.1.10 ] (*1,*2)
> *1 <-> [ 192.168.1.0/24 ]
> *2 <- - VPN - wifi - -> [192.168.3.0/24 ]
> 
> - I can ping from 192.168.1.0/24 to 192.168.2.0/24 and 192.168.3.0/24
> - I can ping from 192.168.2.0/24 to 192.168.1.0/24
> - I can ping from 192.168.3.0/24 to 192.168.1.0/24
> - I can  * * NOT * * ping from 192.168.3.0/24 to 192.168.2.0/24
> 
> Hence everything works except pinging from the (3) network to the (2) 
> network which are two individual VPN with end points on the same 
> machine. I tested with tcpdump and what happens is that the 
> pings from 
> (3) are send out to the internet instead of through the VPN 
> to (2). For 
> (1) to (2) this works without a problem so I assume it's a 
> problem with 
> two VPN's ending on the same machine.
> 
> Any ideas why such a config could fail?
> 
>

More information about the Users mailing list