[Openswan Users] specifying remote subnets and connecting to individual hosts on a remote vpn
frank.wilson at sidonis.com
Fri May 15 05:27:17 EDT 2009
I'm trying to configure an ispec tunnel with a remote site.
The remote site will only let me connect to these ips on the
If I specify the remote subnets too wide, the vpn gateway
(a CISCO ASA 5520) will refuse to setup the phase2 connection.
So for instance specifying 10.130.245.0/24 as a right subnet
Will cause phase2 to hang before it completes.
So I try 10.130.245.105/30 and 10.120.100.105/30 as in the following
config, but I still have doubts.
left=aa.bb.cc.dd # our public ip
right=ww.xx.yy.zz # remote site vpn gateway (public ip)
This allows phase2 to complete, but I still don't get replies to pings.
So, something must still be wrong. I know that when I ping a remote host
on the vpn (e.g. 10.120.100.105) traffic leaves our network, properly
bound for the remote vpn gateway via our outbound interface.
The problem I feel with the /30 subnets is that perhaps the last address
(107) is reserved for broadcasts? That would mean the third ip is not
addressed. I know that using /29 is too wide since using it also causes
phase2 to fail.
Should I be setting up a connection for each individual vpn host.
That would mean a total of 7 conn entries. Is there a better way to do
that? In particular is there a way to make all the connections come up
at the same time (without resorting to auto=start).
More information about the Users