[Openswan Users] Destination Host Unreachable.

Peter McGill petermcgill at goco.net
Thu Sep 25 17:10:10 EDT 2008 

Igor,

You cannot "route" traffic through IPSec tunnels.
Only traffic in the tunnel subnets can use the tunnel.
So to "route" anything/everything through the tunnel,
you logically need to specify leftsubnet=0.0.0.0/0

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Igor Widlinski
> Sent: September 25, 2008 4:31 PM
> To: users at openswan.org
> Subject: [Openswan Users] Destination Host Unreachable.
> 
> Hey guys,
> 
> I am having issues with routing. Basically I'm receiving 
> Destination Host
> Unreachable from the client when I try to ping networks that are not
> specified in leftsubnet ie. external internet (google.ca 
> etc). Basic setup
> of the network is as follows:
> 
> 10.10.10.0/24===10.1.1.2...10.1.1.3;
> 
> Logical Setup:
> Internet..InternalNet...Nat...OpenSwanServer...Client
> 
> Ips:
> Client 10.1.1.3
> SwanServer: 10.1.1.2
> Nat -> 10.1.1.2 to 10.10.10.120
> InternalNet 10.10.10.0/24
> Internet ??
> 
> Basically I can Ping all hosts on 10.10.10.x from the client. 
> So this is
> fine. I'd like to be able for the client to be able to access internet
> through OpenSwan server, or any other networks that are 
> connected to our
> internal network.
> 
> .conf file:
> 
> conn net1
> 	leftsubnet=10.10.10.0/24
> 	also=base
> 
> conn base
> 	authby=secret
> 	ike=3des-md5
> 	esp=3des-md5
> 	pfs=yes
> 	left=10.1.1.2
> 	right=10.1.1.3
> 	auto=add
> 
> 
> iptables -L
> 
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> RULE_0     all  --  anywhere             anywhere            state NEW
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> RULE_0     all  --  anywhere             anywhere            state NEW
> 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> RULE_0     all  --  anywhere             anywhere            state NEW
> 
> Chain RULE_0 (3 references)
> target     prot opt source               destination
> LOG        all  --  anywhere             anywhere            LOG level
> info prefix `RULE 0 -- ACCEPT '
> ACCEPT     all  --  anywhere             anywhere
> 
> 
> When pinging google.com from client I receive:
> 
> >From xxx (10.1.1.3) icmp_seq=xxx Destination Host Unreachable
> 
> I know I am missing something in the configuration, but I have no idea
> what it could be. Any help would be appreciated.
> 
> 
> Thanks!
> 
> 
> Igor Widlinski
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list