[Openswan Users] openswan isnt adding a route to Ubuntus IP table

Ryan McLeod r.mcleod20 at gmail.com
Fri Jul 9 22:21:06 EDT 2010


Well cause the subnets were improper, the machine that was the host sent the
packet to the open swan, which is its gateway, but the openswan sent it to
its gateway of 92.2. When i fixed the subnet, it then went through the
tunnel. But the traffic on the openswan itself no longer goes through the
tunnel, which is the way its supposed to be

Ryan

On Fri, Jul 9, 2010 at 4:59 PM, Willie Gillespie <
wgillespie+openswan at es2eng.com <wgillespie%2Bopenswan at es2eng.com>> wrote:

> So what was happening is that the local subnet is sending packets directly
> to the gateway address of 192.168.92.2 -- they had no reason to go to your
> Openswan server at 192.168.92.128 -- so they aren't going to be
> encapsulated.
>
> Ryan McLeod wrote:
>
>> The gateway of the subnet is 192.168.92.2 which is a built in virtual nic
>> for vmware. x.x.x.128 is the openswan itself. and the left subnet is now
>> 11.11.11.0/24 <http://11.11.11.0/24>.
>>
>>
>> On Fri, Jul 9, 2010 at 3:35 PM, Willie Gillespie <
>> wgillespie+openswan at es2eng.com <wgillespie%2Bopenswan at es2eng.com><mailto:
>> wgillespie%2Bopenswan at es2eng.com <wgillespie%252Bopenswan at es2eng.com>>>
>> wrote:
>>
>>    I believe if he is behind a NAT on the left and we are looking at
>>    the config file for the left, then this _may_ be a proper way to
>>    have it set up -- depending on his network setup.
>>
>>    Ryan, the question I have for you regards this:
>>
>>
>>     >> The connection establishes just fine. On the openswan server, if i
>>     >> ping 192.168.1.5, a host on the remote network, the traffic goes
>>     >> through the tunnel encrypted. if i ping that host from the local
>>     >> subnet, it goes over the wire unencrypted. Looking at the route
>>    table
>>     >> on the openswan box, there is no entry for the remote network:
>>
>>    Does "the local subnet" have it's gateway set to 192.168.92.128, or
>>    192.168.92.2?
>>
>>    Willie
>>
>>    Nick Howitt wrote:
>>
>>         Odd. Your left WAN IP appears to be on the same subnet as the
>>        left LAN. I don't see that working. Are you sure of your set up?
>>
>>        On 09/07/2010 19:24, Ryan McLeod wrote:
>>
>>            connection config looks like:
>>
>>            /conn tunnelipsec
>>               type=tunnel
>>               authby=secret
>>               left=192.168.92.128
>>               leftnexthop=192.168.92.2
>>               leftsubnet=192.168.92.0/24 <http://192.168.92.0/24>
>>
>>               right=200.200.200.1
>>               rightnexthop=200.200.200.2
>>               rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
>>
>>               esp=3des-md5
>>               keyexchange=ike
>>               pfs=no
>>               auto=star/t
>>
>>
>>            The connection establishes just fine. On the openswan
>>            server, if i ping 192.168.1.5, a host on the remote network,
>>            the traffic goes through the tunnel encrypted. if i ping
>>            that host from the local subnet, it goes over the wire
>>            unencrypted. Looking at the route table on the openswan box,
>>            there is no entry for the remote network:
>>
>>            Destination                     Gateway
>>     Genmask          192.168.92.0                    *
>>                 255.255.255.0
>>            link-local                          *
>>             255.255.0.0
>>            default                             192.168.92.2
>>        0.0.0.0
>>
>>            I initialize the tunnel with: ipsec auto --up tunnelipsec
>>
>>            I have added to iptables:
>>
>>            $IPTABLES -A INPUT -p udp  --dport 500 -j ACCEPT
>>
>>            $IPTABLES -A OUTPUT -p udp  --dport 500 -j ACCEPT
>>            $IPTABLES -A INPUT -p udp  --dport 4500 -j ACCEPT
>>            $IPTABLES -A OUTPUT -p udp  --dport 4500 -j ACCEPT
>>
>>
>>            $IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK
>>            --set-mark 1
>>            $IPTABLES -A FORWARD -i eth1 -m mark --mark 1 -d
>>            192.168.2.0/24 <http://192.168.2.0/24>
>>            <http://192.168.2.0/24> -j ACCEPT
>>
>>
>>
>>            Any help is appreciated,
>>
>>            Thanks.
>>
>>
>>            _______________________________________________
>>            Users at openswan.org <mailto:Users at openswan.org>
>>
>>            http://lists.openswan.org/mailman/listinfo/users
>>            Building and Integrating Virtual Private Networks with
>>            Openswan:
>>
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>>
>>  ------------------------------------------------------------------------
>>
>>
>>        _______________________________________________
>>        Users at openswan.org <mailto:Users at openswan.org>
>>
>>        http://lists.openswan.org/mailman/listinfo/users
>>        Building and Integrating Virtual Private Networks with Openswan:
>>
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100709/a0d6ca2d/attachment.html 


More information about the Users mailing list