[Openswan Users] openswan isnt adding a route to Ubuntus IP table

Willie Gillespie wgillespie+openswan at es2eng.com
Fri Jul 9 15:35:46 EDT 2010 

I believe if he is behind a NAT on the left and we are looking at the 
config file for the left, then this _may_ be a proper way to have it set 
up -- depending on his network setup.

Ryan, the question I have for you regards this:

 >> The connection establishes just fine. On the openswan server, if i
 >> ping 192.168.1.5, a host on the remote network, the traffic goes
 >> through the tunnel encrypted. if i ping that host from the local
 >> subnet, it goes over the wire unencrypted. Looking at the route table
 >> on the openswan box, there is no entry for the remote network:

Does "the local subnet" have it's gateway set to 192.168.92.128, or 
192.168.92.2?

Willie

Nick Howitt wrote:
>   Odd. Your left WAN IP appears to be on the same subnet as the left 
> LAN. I don't see that working. Are you sure of your set up?
> 
> On 09/07/2010 19:24, Ryan McLeod wrote:
>> connection config looks like:
>>
>> /conn tunnelipsec
>>     type=tunnel
>>     authby=secret
>>     left=192.168.92.128
>>     leftnexthop=192.168.92.2
>>     leftsubnet=192.168.92.0/24
>>     right=200.200.200.1
>>     rightnexthop=200.200.200.2
>>     rightsubnet=192.168.1.0/24
>>     esp=3des-md5
>>     keyexchange=ike
>>     pfs=no
>>     auto=star/t
>>
>> The connection establishes just fine. On the openswan server, if i 
>> ping 192.168.1.5, a host on the remote network, the traffic goes 
>> through the tunnel encrypted. if i ping that host from the local 
>> subnet, it goes over the wire unencrypted. Looking at the route table 
>> on the openswan box, there is no entry for the remote network:
>>
>> Destination                     Gateway                  
>> Genmask          
>> 192.168.92.0                    *                            255.255.255.0
>> link-local                          *                            
>> 255.255.0.0
>> default                             192.168.92.2           0.0.0.0
>>
>> I initialize the tunnel with: ipsec auto --up tunnelipsec
>>
>> I have added to iptables:
>>
>> $IPTABLES -A INPUT -p udp  --dport 500 -j ACCEPT
>>
>> $IPTABLES -A OUTPUT -p udp  --dport 500 -j ACCEPT
>> $IPTABLES -A INPUT -p udp  --dport 4500 -j ACCEPT
>> $IPTABLES -A OUTPUT -p udp  --dport 4500 -j ACCEPT
>>
>>
>> $IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 1
>> $IPTABLES -A FORWARD -i eth1 -m mark --mark 1 -d 192.168.2.0/24 <http://192.168.2.0/24> -j ACCEPT
>>
>>
>> Any help is appreciated,
>>
>> Thanks.
>>
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list