[Openswan Users] gate-to-net and gate-to-gate not working

Pahud pahudnet at gmail.com
Wed Jan 13 04:44:59 EST 2010 

Hello list,

I have established a net-to-net VPN successfully but I just can't make
 gate-to-net and gate-to-gate work.

This is my scenario:

192.168.100.0/24  left subnet

192.168.100.100 left gw private interface
200.200.200.200 left gw public interface

200.200.200.1 left gw defaultroute

INTERNET

100.100.100.1 right gw defaultroute

100.100.100.100 right gw public interface
192.168.10.1 right gw private interface

192.168.10.0/24 right subnet


OK my /etc/ipsec/ipsec.conf is

config setup
nat_traversal=yes
 nhelpers=0
interfaces=%defaultroute

conn net-to-net
   right=100.100.100.100
   rightsubnet=192.168.10.0/24
   rightcert=right.cert
   left=200.200.200.200
   leftsubnet=192.168.100.0/24
   leftcert=left.cert
   pfs=yes
   auto=add

conn lgate-to-rnet
   left=200.200.200.200
   right=100.100.100.100
   leftcert=left.cert
   rightsubnet=192.168.10.0/24
   rightcert=right.cert
   auto=add

conn rgate-to-lnet
   left=200.200.200.200
   leftsubnet=192.168.100.0/24
   right=100.100.100.100
   leftcert=left.cert
   rightcert=right.cert
   auto=add

conn lgate-to-rgate
   left=200.200.200.200
   right=100.100.100.100
   leftcert=left.cert
   rightcert=right.cert
   auto=add

----------------------

OK when I start net-to-net, everything is cool.

# ipsec auto --up net-to-net
104 "net-to-net" #1: STATE_MAIN_I1: initiate
003 "net-to-net" #1: received Vendor ID payload [Openswan (this version)
2.4.15  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection]
003 "net-to-net" #1: received Vendor ID payload [RFC 3947] method set
to=109
106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "net-to-net" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
no NAT detected
108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
117 "net-to-net" #2: STATE_QUICK_I1: initiate
004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x346c70d8 <0x96ddd1d9 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}


And I can ping from left subnet to right subnet.

Then I try to establish lgate-to-rnet from the left gateway:

# ipsec auto --up lgate-to-rnet
117 "lgate-to-rnet" #3: STATE_QUICK_I1: initiate
004 "lgate-to-rnet" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x96d7436d <0x0662bbe4 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}


It looks good as well. But I just can't ping from left gw to right subnet,
in the meantime, the previously established net-to-net VPN is broken,
as I can't ping from the left subnet to right subnet either.


I am not sure what's going wrong.

My question is:

1. In my scenario, is it possible to build net-to-net, lgate-to-rnet,
rgate-to-lnet and  lgate-to-rgate at the same time with one single
ipsec.conf?
2. How to correct my problem so I can establish them with no error?

Pahud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100113/1d26d7e5/attachment-0001.html

More information about the Users mailing list