[Openswan Users] Destination Host Unreachable.
Peter McGill
petermcgill at goco.net
Fri Sep 26 09:22:40 EDT 2008
Igor,
Yes if you don't want internet traffic, but
only a second private subnet, then just add.
conn net2
leftsubnet=192.168.0.0/16
also=base
Peter
Igor Widlinski wrote:
> Hey Peter,
>
> Thanks for the answer.
> I wonder if we have a 192.168.x.x network behind 10.10.10.x and I set up
> another connection that has leftsubnet=192.168.0.0/16
> it should let the client through to 192.168.0.0?
>
> Thanks!
>
> Igor Widlinski
>
> Peter McGill wrote:
>> Igor,
>>
>> You cannot "route" traffic through IPSec tunnels.
>> Only traffic in the tunnel subnets can use the tunnel.
>> So to "route" anything/everything through the tunnel,
>> you logically need to specify leftsubnet=0.0.0.0/0
>>
>> Peter McGill
>> IT Systems Analyst
>> Gra Ham Energy Limited
>>
>>
>>> -----Original Message-----
>>> From: users-bounces at openswan.org
>>> [mailto:users-bounces at openswan.org] On Behalf Of Igor Widlinski
>>> Sent: September 25, 2008 4:31 PM
>>> To: users at openswan.org
>>> Subject: [Openswan Users] Destination Host Unreachable.
>>>
>>> Hey guys,
>>>
>>> I am having issues with routing. Basically I'm receiving
>>> Destination Host
>>> Unreachable from the client when I try to ping networks that are not
>>> specified in leftsubnet ie. external internet (google.ca
>>> etc). Basic setup
>>> of the network is as follows:
>>>
>>> 10.10.10.0/24===10.1.1.2...10.1.1.3;
>>>
>>> Logical Setup:
>>> Internet..InternalNet...Nat...OpenSwanServer...Client
>>>
>>> Ips:
>>> Client 10.1.1.3
>>> SwanServer: 10.1.1.2
>>> Nat -> 10.1.1.2 to 10.10.10.120
>>> InternalNet 10.10.10.0/24
>>> Internet ??
>>>
>>> Basically I can Ping all hosts on 10.10.10.x from the client.
>>> So this is
>>> fine. I'd like to be able for the client to be able to access internet
>>> through OpenSwan server, or any other networks that are
>>> connected to our
>>> internal network.
>>>
>>> .conf file:
>>>
>>> conn net1
>>> leftsubnet=10.10.10.0/24
>>> also=base
>>>
>>> conn base
>>> authby=secret
>>> ike=3des-md5
>>> esp=3des-md5
>>> pfs=yes
>>> left=10.1.1.2
>>> right=10.1.1.3
>>> auto=add
>>>
>>>
>>> iptables -L
>>>
>>> target prot opt source destination
>>> ACCEPT all -- anywhere anywhere state
>>> RELATED,ESTABLISHED
>>> RULE_0 all -- anywhere anywhere state NEW
>>>
>>> Chain FORWARD (policy DROP)
>>> target prot opt source destination
>>> ACCEPT all -- anywhere anywhere state
>>> RELATED,ESTABLISHED
>>> RULE_0 all -- anywhere anywhere state NEW
>>>
>>> Chain OUTPUT (policy DROP)
>>> target prot opt source destination
>>> ACCEPT all -- anywhere anywhere state
>>> RELATED,ESTABLISHED
>>> RULE_0 all -- anywhere anywhere state NEW
>>>
>>> Chain RULE_0 (3 references)
>>> target prot opt source destination
>>> LOG all -- anywhere anywhere LOG level
>>> info prefix `RULE 0 -- ACCEPT '
>>> ACCEPT all -- anywhere anywhere
>>>
>>>
>>> When pinging google.com from client I receive:
>>>
>>> >From xxx (10.1.1.3) icmp_seq=xxx Destination Host Unreachable
>>>
>>> I know I am missing something in the configuration, but I have no idea
>>> what it could be. Any help would be appreciated.
>>>
>>>
>>> Thanks!
>>>
>>>
>>> Igor Widlinski
>>>
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>>> 7?n=283155
>>>
>>
>>
>
>
> --
> Igor Widlinski
> Systems Administrator
> Eigen Development Ltd.
> #300 - 1807 West 10th Avenue
> Vancouver BC, V6J 2A9
>
> t. 604.736.1066
> f. 604.736.5669
> e. igor.widlinski at eigendev.com
>
> *************************************************
>
> ATTENTION
> The information in this e-mail and in any attachments is confidential and intended solely for the attention and use of the named addressee(s). It must not be disclosed to any person without our authority. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorized to and must not disclose, copy, distribute, or retain this message or any part of it.
>
> *************************************************
>
More information about the Users
mailing list