[Openswan Users] 2 ip ranges in our end with OpenSwan

Indunil Jayasooriya indunil75 at gmail.com
Mon Sep 1 00:28:52 EDT 2008 

Hi,

I am running Openswan on Centos 5 firewall. On my side, I have only
one subnet that is 192.168.1.0/24. On the other side there are 4
subnets. We can conncect to those each other.  it works fine.

Now, The other side has added another subnet. They asked to use a
diffrent ip range to access  it. they have given 10.48.0.0/16 to use
as the other ip range for ourt side.

But, New ip range still cant access the other side.

pls see my ipsec.conf file .

[root at firewall ~]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=all
        plutodebug=all
        nat_traversal=yes

conn tunnelipsec1
        type=tunnel
        left=220.247.213.202
        leftsubnet=192.168.1.0/24
        right=196.4.52.10
        rightsubnet=196.4.49.0/24
        esp=3des
        authby=secret
        keyexchange=ike
        pfs=no
        auto=start

conn tunnelipsec2
        type=tunnel
        left=220.247.213.202
        leftsubnet=192.168.1.0/24
        right=196.4.52.10
        rightsubnet=196.4.51.0/24
        esp=3des
        authby=secret
        keyexchange=ike
        pfs=no
        auto=start

conn tunnelipsec3
        type=tunnel
        left=220.247.213.202
        leftsubnet=192.168.1.0/24
        right=196.4.52.10
        rightsubnet=10.10.99.0/24
        esp=3des
        authby=secret
        keyexchange=ike
        pfs=no
        auto=start

conn tunnelipsec4
        type=tunnel
        left=220.247.213.202
        leftsubnet=192.168.1.0/24
        right=196.4.52.10
        rightsubnet=10.10.250.0/24
        esp=3des
        authby=secret
        keyexchange=ike
        pfs=no
        auto=start

conn tunnelipsec5
        type=tunnel
        left=220.247.213.202
        leftsubnet=10.48.0.0/16
        right=196.4.52.10
        rightsubnet=10.254.0.0/16
        esp=3des
        authby=secret
        keyexchange=ike
        pfs=no
        auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

I have addes belwo ip tables rules as well.


iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.254.0.0/16 -j ACCEPT


$IPTABLES -t nat -A POSTROUTING -o eth1  -s 192.168.1.0/24 -j SNAT
--to-source 220.247.213.202
$IPTABLES -t nat -A POSTROUTING -o eth1  -s 10.48.0.0/16 -j SNAT
--to-source 220.247.213.202

We can access first 4 subnets of the other side with 192.168.1.0/24 ip
range. But, We ca not access the last subnet of the other side with
10.48.0.0/16 ?

Could you pls expalin why?



-- 
Thank you
Indunil Jayasooriya

More information about the Users mailing list