[Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network
Mike A. Leonetti
mleonetti at evolutionce.com
Tue Feb 16 11:41:38 EST 2010
Paul,
Disabling nat transversal made it work from all of the workstations
behind the server on the left but the server itself can't ping. Thanks
for the suggestion.
Paul Wouters wrote:
> On Mon, 15 Feb 2010, Michael Leonetti wrote:
>
>
>> conn sonicwall
>> left=(leftip)
>> leftsubnet=10.1.1.0/24
>> leftid=(leftid)
>> right=(rightip)
>> rightsubnet=10.10.12.0/24
>> rightid=(rightid)
>> keyingtries=0
>> pfs=no
>> aggrmode=yes
>> auto=add
>> auth=esp
>> esp=3des-sha1
>> ike=3des-sha1
>> authby=secret
>> xauth=no
>> keyexchange=ike
>>
>
>
>> fortissimo linux # ipsec auto --up sonicwall
>> 003 "sonicwall" #5: multiple transforms were set in aggressive mode. Only first one used.
>> 003 "sonicwall" #5: transform (5,2,2,0) ignored.
>>
>
> This log does not match the config above? It claims you have multiple ike= proposals,
> instead of just one?
>
>
>> When I try to reach anything in the network:
>>
>> fortissimo linux # ping 10.10.12.199
>> PING 10.10.12.199 (10.10.12.199) 56(84) bytes of data.
>> From 130.81.12.202 icmp_seq=6 Destination Net Unreachable
>>
>
> If this is on the server itself, you need to add a leftsourceip= or
> use ping -I to ensure packets match your subnet (and not your public ip)
>
>
>> fortissimo linux # ping 10.10.12.1
>> PING 10.10.12.1 (10.10.12.1) 56(84) bytes of data.
>> 64 bytes from 10.10.12.1: icmp_seq=1 ttl=243 time=21.1 ms
>>
>
> If the remote server is doing NAT and IPsec, you need to exclude NATing
> IPsec packets.
>
> If the remote server is not the default gateway of 10.10.12.199, you might
> need to add some routing to those machines.
>
> Paul
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100216/15eae7ba/attachment-0001.html
More information about the Users
mailing list