[Openswan Users] openswan isnt adding a route to Ubuntus IP table

Ryan McLeod r.mcleod20 at gmail.com
Fri Jul 9 16:36:56 EDT 2010


The gateway of the subnet is 192.168.92.2 which is a built in virtual nic
for vmware. x.x.x.128 is the openswan itself. and the left subnet is now
11.11.11.0/24.

On Fri, Jul 9, 2010 at 3:35 PM, Willie Gillespie <
wgillespie+openswan at es2eng.com <wgillespie%2Bopenswan at es2eng.com>> wrote:

> I believe if he is behind a NAT on the left and we are looking at the
> config file for the left, then this _may_ be a proper way to have it set up
> -- depending on his network setup.
>
> Ryan, the question I have for you regards this:
>
>
> >> The connection establishes just fine. On the openswan server, if i
> >> ping 192.168.1.5, a host on the remote network, the traffic goes
> >> through the tunnel encrypted. if i ping that host from the local
> >> subnet, it goes over the wire unencrypted. Looking at the route table
> >> on the openswan box, there is no entry for the remote network:
>
> Does "the local subnet" have it's gateway set to 192.168.92.128, or
> 192.168.92.2?
>
> Willie
>
> Nick Howitt wrote:
>
>>  Odd. Your left WAN IP appears to be on the same subnet as the left LAN. I
>> don't see that working. Are you sure of your set up?
>>
>> On 09/07/2010 19:24, Ryan McLeod wrote:
>>
>>> connection config looks like:
>>>
>>> /conn tunnelipsec
>>>    type=tunnel
>>>    authby=secret
>>>    left=192.168.92.128
>>>    leftnexthop=192.168.92.2
>>>    leftsubnet=192.168.92.0/24
>>>    right=200.200.200.1
>>>    rightnexthop=200.200.200.2
>>>    rightsubnet=192.168.1.0/24
>>>    esp=3des-md5
>>>    keyexchange=ike
>>>    pfs=no
>>>    auto=star/t
>>>
>>>
>>> The connection establishes just fine. On the openswan server, if i ping
>>> 192.168.1.5, a host on the remote network, the traffic goes through the
>>> tunnel encrypted. if i ping that host from the local subnet, it goes over
>>> the wire unencrypted. Looking at the route table on the openswan box, there
>>> is no entry for the remote network:
>>>
>>> Destination                     Gateway                  Genmask
>>>  192.168.92.0                    *                            255.255.255.0
>>> link-local                          *
>>>  255.255.0.0
>>> default                             192.168.92.2           0.0.0.0
>>>
>>> I initialize the tunnel with: ipsec auto --up tunnelipsec
>>>
>>> I have added to iptables:
>>>
>>> $IPTABLES -A INPUT -p udp  --dport 500 -j ACCEPT
>>>
>>> $IPTABLES -A OUTPUT -p udp  --dport 500 -j ACCEPT
>>> $IPTABLES -A INPUT -p udp  --dport 4500 -j ACCEPT
>>> $IPTABLES -A OUTPUT -p udp  --dport 4500 -j ACCEPT
>>>
>>>
>>> $IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 1
>>> $IPTABLES -A FORWARD -i eth1 -m mark --mark 1 -d 192.168.2.0/24 <
>>> http://192.168.2.0/24> -j ACCEPT
>>>
>>>
>>>
>>> Any help is appreciated,
>>>
>>> Thanks.
>>>
>>>
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100709/cbada0d2/attachment-0001.html 


More information about the Users mailing list