[Openswan Users] 2 ip ranges in our end with OpenSwan
Peter McGill
petermcgill at goco.net
Tue Sep 2 10:04:26 EDT 2008
Indunil,
Openswan does not NAT addresses, you cannot have a working conn
with 10.48.0.0/16 on your side when your addresses are 192.168.1.0/24.
You must use 192.168.1.0/24 which matches your lan. Unless your saying
that you've added a second lan using 10.48.0.0/16. The output of
ifconfig would help clarify your situation.
And please turn these off, they produce a mountain of useless logs:
#klipsdebug=none
#plutodebug=none
Peter
Indunil Jayasooriya wrote:
> Hi,
>
> I am running Openswan on Centos 5 firewall. On my side, I have only
> one subnet that is 192.168.1.0/24. On the other side there are 4
> subnets. We can conncect to those each other. it works fine.
>
> Now, The other side has added another subnet. They asked to use a
> diffrent ip range to access it. they have given 10.48.0.0/16 to use
> as the other ip range for ourt side.
>
> But, New ip range still cant access the other side.
>
> pls see my ipsec.conf file .
>
> [root at firewall ~]# cat /etc/ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual: ipsec.conf.5
> #
> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> interfaces=%defaultroute
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=all
> plutodebug=all
> nat_traversal=yes
>
> conn tunnelipsec1
> type=tunnel
> left=220.247.213.202
> leftsubnet=192.168.1.0/24
> right=196.4.52.10
> rightsubnet=196.4.49.0/24
> esp=3des
> authby=secret
> keyexchange=ike
> pfs=no
> auto=start
>
> conn tunnelipsec2
> type=tunnel
> left=220.247.213.202
> leftsubnet=192.168.1.0/24
> right=196.4.52.10
> rightsubnet=196.4.51.0/24
> esp=3des
> authby=secret
> keyexchange=ike
> pfs=no
> auto=start
>
> conn tunnelipsec3
> type=tunnel
> left=220.247.213.202
> leftsubnet=192.168.1.0/24
> right=196.4.52.10
> rightsubnet=10.10.99.0/24
> esp=3des
> authby=secret
> keyexchange=ike
> pfs=no
> auto=start
>
> conn tunnelipsec4
> type=tunnel
> left=220.247.213.202
> leftsubnet=192.168.1.0/24
> right=196.4.52.10
> rightsubnet=10.10.250.0/24
> esp=3des
> authby=secret
> keyexchange=ike
> pfs=no
> auto=start
>
> conn tunnelipsec5
> type=tunnel
> left=220.247.213.202
> leftsubnet=10.48.0.0/16
> right=196.4.52.10
> rightsubnet=10.254.0.0/16
> esp=3des
> authby=secret
> keyexchange=ike
> pfs=no
> auto=start
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
> I have addes belwo ip tables rules as well.
>
>
> iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -d 10.254.0.0/16 -j ACCEPT
>
>
> $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT
> --to-source 220.247.213.202
> $IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.48.0.0/16 -j SNAT
> --to-source 220.247.213.202
>
> We can access first 4 subnets of the other side with 192.168.1.0/24 ip
> range. But, We ca not access the last subnet of the other side with
> 10.48.0.0/16 ?
>
> Could you pls expalin why?
>
>
>
More information about the Users
mailing list