[Openswan Users] Gateways cannot access opposite networks - Openswan NETKEY
Ryan Davies
ryan at professional.geek.nz
Fri Aug 6 09:20:50 EDT 2010
That did it. Thanks Nick!
Regards,
Ryan Davies
On 7/08/10 12:37 AM, Nick Howitt wrote:
> Hi Ryan,
>
> You need lines with the left/rightsourceip in your conf:
> leftsourceip=192.168.1.1
> rightsourceip=192.168.0.1
>
> BTW for future flexibility I'd keep away from the 192.168.0.0/24 and
> 192.168.1.0/24 subnets as they are used by too many domestic routers.
>
> Nick
>
> On 06/08/2010 08:08, Ryan Davies wrote:
>> Hi All,
>>
>> Myself and my partner's father has set up a VPN so we can access each
>> others internal networks.
>>
>> Our topology is as following: (Example)
>>
>> Client A -> Server A <-> Server B <-
>> Client B
>> 192.168.1.6 192.168.1.1
>> 192.168.0.1 192.168.0.6
>> eth0: External IP
>> eth1: Internal IP
>>
>> Client A can ping and access Server B and Client B
>> Client B can ping and access Server A and Client A
>>
>> Server A cannot ping or access Server B and Client B
>> Server B cannot ping or access Server A and Client A
>>
>> Firewall on Server A is set to full allow Server B's public IP
>> Firewall on Server B is set to full allow Server A's public IP
>>
>> We are using NETKEY with PSK
>>
>> Here is my ipsec (With public IP's Removed):
>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>
>> version 2.0 # conforms to second version of ipsec.conf
>> specification
>>
>> # basic configuration
>> config setup
>> nat_traversal=yes
>> oe=off
>> protostack=netkey
>> plutostderrlog=/tmp/pluto.log
>>
>> conn Tunnel-to-Millers
>> type = tunnel
>> auth=esp
>> authby=secret
>> left=a.b.c.d (Server A's Public IP)
>> leftsubnet=192.168.1.0/24
>> right=w.x.y.z (Server B's Pubic IP)
>> rightsubnet=192.168.0.0/24
>> esp=3des-md5
>> rekey=yes
>> keyingtries=3
>> keyexchange=ike
>> auto=start
>>
>> Im not sure if its routing or masquerading or what, when running a
>> traceroute to 192.168.0.6 from Server A, the requests go out through
>> Server A's public IP
>> root at Nelson:~# ping 192.168.0.6
>> PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
>> ^C
>> --- 192.168.0.6 ping statistics ---
>> 6 packets transmitted, 0 received, 100% packet loss, time 5039ms
>>
>> If I ping forcing interface eth1 (Internal), they go through
>> root at Nelson:~# ping -Ieth1 192.168.0.6
>> PING 192.168.0.6 (192.168.0.6) from 192.168.1.1 eth1: 56(84) bytes of
>> data.
>> 64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=34.2 ms
>> 64 bytes from 192.168.0.6: icmp_seq=2 ttl=63 time=18.7 ms
>> 64 bytes from 192.168.0.6: icmp_seq=3 ttl=63 time=16.7 ms
>> 64 bytes from 192.168.0.6: icmp_seq=4 ttl=63 time=20.0 ms
>> ^C
>> --- 192.168.0.6 ping statistics ---
>> 4 packets transmitted, 4 received, 0% packet loss, time 3003ms
>> rtt min/avg/max/mdev = 16.716/22.457/34.252/6.916 ms
>>
>> Server A runs a DNS server which needs to pass requests for one of
>> our domains to a DNS server on the 192.168.0.0 network.
>>
>> Any help would be appreciated
>> --
>> Regards,
>> Ryan Davies
>>
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments:https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100807/0dd66bcd/attachment.html
More information about the Users
mailing list