[Openswan Users] Gateways cannot access opposite networks - Openswan NETKEY

Ryan Davies ryan at professional.geek.nz
Fri Aug 6 03:08:36 EDT 2010


  Hi All,

Myself and my partner's father has set up a VPN so we can access each 
others internal networks.

Our topology is as following: (Example)

    Client A          ->        Server A <->             Server B <- 
          Client B
192.168.1.6               192.168.1.1                         
192.168.0.1                 192.168.0.6
eth0: External IP
eth1: Internal IP

Client A can ping and access Server B and Client B
Client B can ping and access Server A and Client A

Server A cannot ping or access Server B and Client B
Server B cannot ping or access Server A and Client A

Firewall on Server A is set to full allow Server B's public IP
Firewall on Server B is set to full allow Server A's public IP

We are using NETKEY with PSK

Here is my ipsec (With public IP's Removed):
# /etc/ipsec.conf - Openswan IPsec configuration file

version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration
config setup
     nat_traversal=yes
     oe=off
     protostack=netkey
     plutostderrlog=/tmp/pluto.log

conn Tunnel-to-Millers
     type = tunnel
     auth=esp
     authby=secret
     left=a.b.c.d (Server A's Public IP)
     leftsubnet=192.168.1.0/24
     right=w.x.y.z (Server B's Pubic IP)
     rightsubnet=192.168.0.0/24
     esp=3des-md5
     rekey=yes
     keyingtries=3
     keyexchange=ike
     auto=start

Im not sure if its routing or masquerading or what, when running a 
traceroute to 192.168.0.6 from Server A, the requests go out through 
Server A's public IP
root at Nelson:~# ping 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
^C
--- 192.168.0.6 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5039ms

If I ping forcing interface eth1 (Internal), they go through
root at Nelson:~# ping -Ieth1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) from 192.168.1.1 eth1: 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=34.2 ms
64 bytes from 192.168.0.6: icmp_seq=2 ttl=63 time=18.7 ms
64 bytes from 192.168.0.6: icmp_seq=3 ttl=63 time=16.7 ms
64 bytes from 192.168.0.6: icmp_seq=4 ttl=63 time=20.0 ms
^C
--- 192.168.0.6 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 16.716/22.457/34.252/6.916 ms

Server A runs a DNS server which needs to pass requests for one of our 
domains to a DNS server on the 192.168.0.0 network.

Any help would be appreciated

-- 
Regards,
Ryan Davies

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100806/893a0426/attachment-0001.html 


More information about the Users mailing list