[Openswan Users] openswan isnt adding a route to Ubuntus IP table
Willie Gillespie
wgillespie+openswan at es2eng.com
Fri Jul 9 16:59:05 EDT 2010
So what was happening is that the local subnet is sending packets
directly to the gateway address of 192.168.92.2 -- they had no reason to
go to your Openswan server at 192.168.92.128 -- so they aren't going to
be encapsulated.
Ryan McLeod wrote:
> The gateway of the subnet is 192.168.92.2 which is a built in virtual
> nic for vmware. x.x.x.128 is the openswan itself. and the left subnet is
> now 11.11.11.0/24 <http://11.11.11.0/24>.
>
> On Fri, Jul 9, 2010 at 3:35 PM, Willie Gillespie
> <wgillespie+openswan at es2eng.com
> <mailto:wgillespie%2Bopenswan at es2eng.com>> wrote:
>
> I believe if he is behind a NAT on the left and we are looking at
> the config file for the left, then this _may_ be a proper way to
> have it set up -- depending on his network setup.
>
> Ryan, the question I have for you regards this:
>
>
> >> The connection establishes just fine. On the openswan server, if i
> >> ping 192.168.1.5, a host on the remote network, the traffic goes
> >> through the tunnel encrypted. if i ping that host from the local
> >> subnet, it goes over the wire unencrypted. Looking at the route
> table
> >> on the openswan box, there is no entry for the remote network:
>
> Does "the local subnet" have it's gateway set to 192.168.92.128, or
> 192.168.92.2?
>
> Willie
>
> Nick Howitt wrote:
>
> Odd. Your left WAN IP appears to be on the same subnet as the
> left LAN. I don't see that working. Are you sure of your set up?
>
> On 09/07/2010 19:24, Ryan McLeod wrote:
>
> connection config looks like:
>
> /conn tunnelipsec
> type=tunnel
> authby=secret
> left=192.168.92.128
> leftnexthop=192.168.92.2
> leftsubnet=192.168.92.0/24 <http://192.168.92.0/24>
> right=200.200.200.1
> rightnexthop=200.200.200.2
> rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
> esp=3des-md5
> keyexchange=ike
> pfs=no
> auto=star/t
>
>
> The connection establishes just fine. On the openswan
> server, if i ping 192.168.1.5, a host on the remote network,
> the traffic goes through the tunnel encrypted. if i ping
> that host from the local subnet, it goes over the wire
> unencrypted. Looking at the route table on the openswan box,
> there is no entry for the remote network:
>
> Destination Gateway
> Genmask 192.168.92.0 *
> 255.255.255.0
> link-local *
> 255.255.0.0
> default 192.168.92.2
> 0.0.0.0
>
> I initialize the tunnel with: ipsec auto --up tunnelipsec
>
> I have added to iptables:
>
> $IPTABLES -A INPUT -p udp --dport 500 -j ACCEPT
>
> $IPTABLES -A OUTPUT -p udp --dport 500 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 4500 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --dport 4500 -j ACCEPT
>
>
> $IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK
> --set-mark 1
> $IPTABLES -A FORWARD -i eth1 -m mark --mark 1 -d
> 192.168.2.0/24 <http://192.168.2.0/24>
> <http://192.168.2.0/24> -j ACCEPT
>
>
>
> Any help is appreciated,
>
> Thanks.
>
>
> _______________________________________________
> Users at openswan.org <mailto:Users at openswan.org>
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with
> Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Users at openswan.org <mailto:Users at openswan.org>
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
More information about the Users
mailing list