[Openswan Users] Openswan site-to-site VPN not forwarding traffic down VPN tunnel

Aaron Hicks aaron.hicks at servicesphere.com
Tue Nov 25 21:39:18 EST 2008 

Hi everyone,

 

I have Openswan working. I don't think I need to change much of it's
configuration. This is probably a relief to most list members.

 

The situation is this, I have a Proliant 1600 running Ubuntu 8.04 LTS server
set up as a transparent bridge router between the ADSL router at the edge of
our network, and the switch hosting all the other computers etc. on our
network. It's also running squid3 and acting as an interception cache.
Everything is on the same subnet, including the bridge and the router. It
looks a bit like this:

 

LocalLAN---Bridge----ADSL---INTERNETZ

 

The bridge has both of its physical NICs combined into the bridge interface
br0 and is configured automatically at startup by bridge-utils in
/etc/network/interfaces, i.e. there is no eth0 or eth1.

 

We have some servers set up at a data centre, we are trying to VPN in to
their Cisco ASA 5500. The set up is roughly meant to be:

 

LocalLAN----Bridge---VPN---Cisco----RemoteLAN

 

The Openswan VPN tunnel starts automatically at start up and attaches itself
to br0 (i.e. there is no ipsec0 interface), and  the bridge can ping servers
on the remote network. It seems to have valid routes to the remote network.
Unfortunatly I can't seem to get it to forward packets from other hosts on
our network to the remote network. Tracert shows that requests just head
straight to the edge router, and aren't being redirected by the bridge into
the ipsec tunnel.

 

Can anyone help me forward packets to the remote network?

 

This is probably something to do with routes or iptables, but I haven't
figured out exactly what needs to be done. It might be something to do with
settiin leftnexthop or rightnexthop, but that hasn't seemed to have helped
either.

 

PS: I have attempted something similar with the Linux Cisco VPN Client
(vpnc) with similar results. VPN goes up, but traffic can't be redirected to
the VPN interface.

 

Regards,

Aaron

 

Aaron Hicks

Programmer Analyst

 <http://www.servicesphere.com/> http://www.servicesphere.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081126/e6afbc6f/attachment.html

More information about the Users mailing list