[Openswan Users] didn't see route after ipsec established
Paul Wouters
paul at xelerance.com
Tue Apr 21 10:05:46 EDT 2009
On Tue, 21 Apr 2009, tang huu trong wrote:
> private2 ---- vpn2 ----------internet---------- vpn1 --------- private1
>
> private 2 : 172.16.2.0 /24
> private 1: 172.16.1.0 / 24
> vpn2 server: private interface: 172.16.2.1 ; public interface: 210.245.125.41
> vpn1 server: private interface: 172.16.1.1 ; public interface: 210.245.125.181
> 004 "net-to-net" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x98e7bb68 <0xd0adaf54
> xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> BUT: i can't ping to private network behind vpn server from both site (iptables stopped and there 2 vpn servers
> didn't under firewall).
what does 'ipsec verify' say?
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
> 0.0.0.0 210.245.125.1 0.0.0.0 UG 0 0 0 eth0
>
> it didn't have route line to another private site, it should be have 1 more line:
> 172.16.1.0 210.245.125.181 255.255.255.0 UG 0 0 0 eth0
So your other ipsec gateway is not reachable via the default gw, but needs a
specific one. leftnexthop= should indeed fix that.
> conn net-to-net
> left=210.245.125.41
> leftsubnet=172.16.2.0/24
> leftid=@210.245.125.41
> leftrsasigkey=.................
> leftnexthop=210.245.125.181
> right=210.245.125.181
> rightsubnet=172.16.1.0/24
> rightid=@210.245.125.181
> rightrsasigkey=...........
> rightnexthop=210.245.125.41
> auto=start
ahh, but these are local machines!
You have:
subnet1 --gateway --gateway----subnet2
Try using type=%direct
If this is a test setup, you should add a "real" hop between the gatewaays
to simulate a real internet hop. In your case, the gateways need to arp,
not route.
Paul
More information about the Users
mailing list