[Openswan Users] Routing Lans between 2 Machines.

Martin Rheumer martinr at benon.com
Tue May 12 02:52:03 EDT 2009 

I have what I thought was a simple setup and cant seem to get it to work.

LAN 192.168.12.0/24 eth1 - WAN 192.168.1.100 eth0 - Internet - WAN
192.168.2.100 eth0 - LAN 192.168.11.0/24 eth1

2 x Centos 5.3 machines running openswan-2.6.14-1.el5_3.2
2 x Ethernets in each machine.. 

Machine A

Eth0 - 192.168.1.100 gw 192.168.1.1
Eth1 - 192.168.12.1

Ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
#       nat_traversal=yes

include /etc/ipsec.d/*.conf

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

[root at mnl ipsec.d]# pwd
/etc/ipsec.d
[root at mnl ipsec.d]# cat nettonet.conf
conn nettonet
        left=192.168.1.100
        leftsubnet=192.168.12.0/24
        leftsourceip=192.168.1.100
leftrsasigkey=0sAQOJFzuVWWmUGZfXH8scYk7qoht8OHHKc8wcmG8UW77tVF/9leoUnyEQjpPD
Xqtu2p/od9JmU0ouuLadBwRENYNWPh9cmQQTKfPxaBTC/p8yyKUbg5q71NrflBMRsfKlbq7CTEyk
EwUo/Udby3zST1TGtVZjDRxnINVQMVfSaPFNNbmK7opz+eYky86jkUmrejfCA8YNbHNa9fRs5WKK
JG/mRsqOov5dhx3HS+UMqwiASFXYI+fLVxBqCpbMl6ugBa/MEPYr+nJQ7qeESa+MZidV+ffgU7l/
YzSMevtrwVBF3p5Gkk3eZ06upNN3kf/fHxnNFpnQyHxxOZUAB35D7k4j
        leftnexthop=192.168.1.1
        right=192.168.2.100
        rightsubnet=192.168.11.0/24
        rightsourceip=192.168.2.100
rightrsasigkey=0sAQOo6HTZbwP0wl5/PX+UHD7mflBfmIwAq23vBOs3CYXJebTLcqp0+V2EYMk
ckpkNQzEPHcKYoL/gZhHr+8+dVSbK8G90FgNIr+F3AED+TKawSd4Ubf/He2++hvR/Bi1QB+8NUOh
ai9pgDWaZcfXu7+/aiKL0PNpgBloxISf0bS/d164MTQ3ZnncQfpHd/vrITDGuL6GVkqO9jDgONd1
ZPAEh9SMPJImcy5dVICfixDO1A7J+3DRb8kHE2vApjgaTVCYWxgIxk+4imCI11JgfBuGf4obBwz1
YgB0K9Ol9ZSSFZ4PdGMbM5UGerMadvkYi/96UeqPrOo9J02rz4o0BnI8KhpDHyHYalnduFKgCrYT
RPFyr
        rightnexthop=192.168.2.1
        auto=start


Machine B


Eth0 - 192.168.2.100 gw 192.168.2.1
Eth1 - 192.168.11.1

Ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
#       nat_traversal=yes

include /etc/ipsec.d/*.conf

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

[root at mnl ipsec.d]# pwd
/etc/ipsec.d
[root at mnl ipsec.d]# cat nettonet.conf
conn nettonet
        left=192.168.1.100
        leftsubnet=192.168.12.0/24
        leftsourceip=192.168.1.100
leftrsasigkey=0sAQOJFzuVWWmUGZfXH8scYk7qoht8OHHKc8wcmG8UW77tVF/9leoUnyEQjpPD
Xqtu2p/od9JmU0ouuLadBwRENYNWPh9cmQQTKfPxaBTC/p8yyKUbg5q71NrflBMRsfKlbq7CTEyk
EwUo/Udby3zST1TGtVZjDRxnINVQMVfSaPFNNbmK7opz+eYky86jkUmrejfCA8YNbHNa9fRs5WKK
JG/mRsqOov5dhx3HS+UMqwiASFXYI+fLVxBqCpbMl6ugBa/MEPYr+nJQ7qeESa+MZidV+ffgU7l/
YzSMevtrwVBF3p5Gkk3eZ06upNN3kf/fHxnNFpnQyHxxOZUAB35D7k4j
        leftnexthop=192.168.1.1
        right=192.168.2.100
        rightsubnet=192.168.11.0/24
        rightsourceip=192.168.2.100
rightrsasigkey=0sAQOo6HTZbwP0wl5/PX+UHD7mflBfmIwAq23vBOs3CYXJebTLcqp0+V2EYMk
ckpkNQzEPHcKYoL/gZhHr+8+dVSbK8G90FgNIr+F3AED+TKawSd4Ubf/He2++hvR/Bi1QB+8NUOh
ai9pgDWaZcfXu7+/aiKL0PNpgBloxISf0bS/d164MTQ3ZnncQfpHd/vrITDGuL6GVkqO9jDgONd1
ZPAEh9SMPJImcy5dVICfixDO1A7J+3DRb8kHE2vApjgaTVCYWxgIxk+4imCI11JgfBuGf4obBwz1
YgB0K9Ol9ZSSFZ4PdGMbM5UGerMadvkYi/96UeqPrOo9J02rz4o0BnI8KhpDHyHYalnduFKgCrYT
RPFyr
        rightnexthop=192.168.2.1
        auto=start


They are connected via a 3rd machine with 2 network cards
Eth0 192.168.1.1
Eth1 192.168.2.1


The connection gets established all ok..

117 "nettonet" #4: STATE_QUICK_I1: initiate
004 "nettonet" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x35f19368 <0x4229fbff xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}

But I get no routing or ability to traceroute etc.

Can someone see something obvious or is there a trick on Centos 5.3 that I
haven't found yet.

Thanks
Martin

More information about the Users mailing list