[Openswan Users] gate-to-net and gate-to-gate not working

Bob Miller bob at computerisms.ca
Wed Jan 13 12:29:39 EST 2010 

I will take a stab at this...
I am not quite clear on what you are trying to accomplish, but it looks
like you want the traffic from the gateways to be included in the VPN
tunnel (ie ping from one gateway to the other gateway).  For this,
rightsourceip and leftsourceip in the net-to-net conn should work to
allow such communication and eliminate the need for the extra conns.
If you are trying for some reason to specifically establish different
tunnels for each of the gateways, I think you will run into problems
with overlapping network descriptions in your config, I have no idea how
to best accomplish that...

On Wed, 2010-01-13 at 17:44 +0800, Pahud wrote:
> Hello list,
> 
> 
> I have established a net-to-net VPN successfully but I just can't
> make  gate-to-net and gate-to-gate work.
> 
> 
> This is my scenario:
> 
> 
> 192.168.100.0/24  left subnet
> 
> 
> 192.168.100.100 left gw private interface
> 200.200.200.200 left gw public interface
> 
> 
> 200.200.200.1 left gw defaultroute
>  
> INTERNET
> 
> 
> 100.100.100.1 right gw defaultroute
> 
> 
> 100.100.100.100 right gw public interface
> 192.168.10.1 right gw private interface
> 
> 
> 192.168.10.0/24 right subnet
> 
> 
> 
> 
> OK my /etc/ipsec/ipsec.conf is
> 
> 
> config setup
> nat_traversal=yes
> nhelpers=0
> interfaces=%defaultroute
> 
> 
> conn net-to-net
>    right=100.100.100.100
>    rightsubnet=192.168.10.0/24
>    rightcert=right.cert
>    left=200.200.200.200
>    leftsubnet=192.168.100.0/24
>    leftcert=left.cert
>    pfs=yes
>    auto=add
> 
> 
> conn lgate-to-rnet
>    left=200.200.200.200
>    right=100.100.100.100
>    leftcert=left.cert
>    rightsubnet=192.168.10.0/24
>    rightcert=right.cert
>    auto=add
> 
> 
> conn rgate-to-lnet
>    left=200.200.200.200
>    leftsubnet=192.168.100.0/24
>    right=100.100.100.100
>    leftcert=left.cert
>    rightcert=right.cert
>    auto=add
> 
> 
> conn lgate-to-rgate
>    left=200.200.200.200
>    right=100.100.100.100
>    leftcert=left.cert
>    rightcert=right.cert
>    auto=add
> 
> 
> ----------------------
> 
> 
> OK when I start net-to-net, everything is cool.
> 
> 
> # ipsec auto --up net-to-net
> 104 "net-to-net" #1: STATE_MAIN_I1: initiate
> 003 "net-to-net" #1: received Vendor ID payload [Openswan (this
> version) 2.4.15  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> 003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "net-to-net" #1: received Vendor ID payload [RFC 3947] method set
> to=109 
> 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "net-to-net" #1: NAT-Traversal: Result using RFC 3947
> (NAT-Traversal): no NAT detected
> 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp1536}
> 117 "net-to-net" #2: STATE_QUICK_I1: initiate
> 004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x346c70d8 <0x96ddd1d9 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
> 
> 
> 
> 
> And I can ping from left subnet to right subnet.
> 
> 
> Then I try to establish lgate-to-rnet from the left gateway:
> 
> 
> # ipsec auto --up lgate-to-rnet
> 117 "lgate-to-rnet" #3: STATE_QUICK_I1: initiate
> 004 "lgate-to-rnet" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x96d7436d <0x0662bbe4 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
> 
> 
> 
> 
> It looks good as well. But I just can't ping from left gw to right
> subnet, in the meantime, the previously established net-to-net VPN is
> broken,
> as I can't ping from the left subnet to right subnet either.
> 
> 
> 
> 
> I am not sure what's going wrong.
> 
> 
> My question is:
> 
> 
> 1. In my scenario, is it possible to build net-to-net, lgate-to-rnet,
> rgate-to-lnet and  lgate-to-rgate at the same time with one single
> ipsec.conf?
> 2. How to correct my problem so I can establish them with no error?
> 
> 
> Pahud
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Bob Miller
334-7117/633-3760
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions

More information about the Users mailing list