[Openswan Users] Not able to ping other subnet

Dennis van der Meer dennisvandermeer at greenchem-adblue.com
Fri Mar 19 04:40:42 EDT 2010 

Hi,

 

I have the following situation:

 

We have several sales offices that connect to our head office via an
ipsec connection, which is

established by a Draytek router. On our server side we have a Linux
server running with openswan

(Linux Openswan U2.6.20/K2.6.27.7-smp (netkey)).

 

Our head office internal network range is 192.168.2.x/24 and our sales
offices are in the range of

10.0.x.0/24. So, e.g.:

 

Remote office LAN 1

(10.0.2.0/24)

|

Draytek router (10.0.2.1)

|

Internet

|

Linux server (ext. ip: a.b.c.d)

(192.168.2.3)

|

Head office LAN

(192.168.2.0/24)

 

The remote offices are for the most part connected to internet with a
dynamic ip address (roadwarrior)

and so I have used an ID to keep them apart.

 

My ipsec.conf file is as followed:

 

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

 

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

 

 

version 2.0     # conforms to second version of ipsec.conf specification

 

# basic configuration

config setup

        uniqueids=yes

        nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v

        protostack=netkey

        plutodebug=none

        klipsdebug=none

 

conn %default

        keyingtries=0

        disablearrivalcheck=no

        authby=secret

        dpddelay=60

        dpdtimeout=120

        dpdaction=clear

 

conn Office1

        auto=add

        left=a.b.c.d              (=external ip Linux server)

        leftsourceip=192.168.2.3  (=internal LAN address Linux server)

        leftsubnet=192.168.2.0/24 (=internal subnet on head office side)

 

        right=%any                (=other side uses dynamic ip so have
to use %any here)

        rightsourceip=10.0.2.1    (=local ip address of Draytek router
from other side)

        rightsubnet=10.0.2.0/24   (=local subnet of remote office 1)

        rightid=@RemoteOffice1    (=ID for office to identify which
tunnel to use)

 

        keyexchange=ike

        keyingtries=5

        type=tunnel

        disablearrivalcheck=no

        authby=secret

        pfs=yes

 

conn Office2

        auto=add

        left=a.b.c.d

        leftsourceip=192.168.2.3

        leftsubnet=192.168.2.0/24

 

        right=%any

        rightsourceip=10.0.3.1

        rightsubnet=10.0.3.0/24

        rightid=@RemoteOffice2

 

        keyexchange=ike

        keyingtries=5

        type=tunnel

        disablearrivalcheck=no

        authby=secret

        pfs=yes

 

And there are more offices configured in the file but they are much the
same, except for the subnet.

The Draytek routers can connect without any problem and I can ping the
remote subnets from the Linux server.

I can also ping the remote computers in the remote offices from the Head
Office LAN.

It is however not possible to ping a system in Remote Office 2 from
Remote Office 1:

e.g. In Remote Office 1: ping 10.0.3.1

After using a "tcpdump -n icmp" I saw that traffic is going from the
computer in Remote Office 1 to the Linux server

but from there it doesn't travel to the Remote Office 2.

 

How will I be able to access services in Remote Office 2 from Remote
Office 1 (e.g. ping or access to a web server)?

 

 

Regards,

 

Dennis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100319/473b3209/attachment-0001.html

More information about the Users mailing list