[Openswan Users] Ping works, from and to Openswan gateway, but not other traffic - may be Cisco problem

Whit Blauvelt whit at transpect.com
Sun Aug 8 12:40:39 EDT 2010 

Hi,

>From Openswan to a Cisco ASA, the subnet-to-subnet traffic has been working
beautifully for months. Now I'm trying to get traffic from the gateway
itself to the remote subnet working. 

There are two tunnels, the subnet-to-subnet and the gateway-to-subnet. The
gateway-to-subnet varies only in its name and in not having a leftsubnet=
line. 

The Cisco side is unusual, in that the VPN subnet is a set of public IPs,
also used as such. That's not under my control. Those IPs have only a few
ports open on the public side; reached by VPN tunnel they're wide open to
us.

Pinging works in every way it should, through the tunnels. Of course subnet
to subnet pings work. If I ping from behind the Cisco to the LAN IP of the
Openswan gateway that also works. If I ping from the Openswan gateway to an
IP behind the Cisco, it shows up on both to iptraf as coming from that LAN
IP - it's not going publicly outside the tunnel.

The problem is if I want to use another protocol from the Gateway to an IP
behind the Cisco. For instance, ssh is blocked at the Cisco for the public
net, but open from our subnet. Ssh works from other systems on our LAN to
systems behind the Cisco, but from the gateway it reports "Connection
Refused," apparently at the Cisco since the attempt is not logged at the
system behind it. So a ping goes through the Cisco, and shows up at systems
behind it with the LAN IP of our gateway (and in turn the gateway can be
pinged from behind the Cisco at its LAN IP), but ssh won't go through.

This may relate to pings also being allowed to systems behind the Cisco from
the public net. The pings clearly go through the tunnel both ways with our
gateway's LAN ip on one end, so ssh should be doing that too. But could the
Cisco be applying firewall rules that are for the public interface to the
tunnel traffic, just when the tunnel traffic is from the gateway's LAN IP?

Whatever it is, is there a way around it either from a change on our end or
a tweak of the Cisco? Or is it just not going to work? The box running
Openswan also happens to be our Nagios server, so without moving that
elsewhere on our LAN this problem is keeping Nagios from monitoring the
systems behind the Cisco.

Thanks,
Whit

More information about the Users mailing list