[Openswan Users] Not able to ping other subnet
GregScott at InfraSupportEtc.com
Sat Mar 20 12:19:42 EDT 2010
Hi Dennis -
You want to route like this
Office1 à Head office à Office2
with tunnels connecting office1 and the head office, and office2 and the head office, right?
I've been down this road before. The summary is, with IPSEC, if you want Office1 and Office2 to see each other, you must set up a tunnel connecting those two offices directly. Every site that wants to see the other site needs a tunnel connecting them. It won't work to have an intermediate site terminate one tunnel and then expect the intermediate site to send data down a different tunnel to the third site. Somebody correct me if I'm wrong, but it's been my experience that the virtual star topology just won't work with IPSEC.
OpenVPN claims the ability to do this but I haven't tried it first-hand.
- Greg Scott
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Nick Howitt
Sent: Friday, March 19, 2010 4:19 PM
To: Dennis van der Meer
Cc: users at openswan.org
Subject: Re: [Openswan Users] Not able to ping other subnet
Are you sure the Draytek at Remote Office 1 is routing traffic to Remote Office 2 via the head office? I don't believe it would normally do that unless you have set up a specific route.
As an aside, why have you enabled NAT Traversal?
Not an Openswan solution, but can you not set up direct VPN's between the Drayteks?
On 19/03/2010 08:40, Dennis van der Meer wrote:
I have the following situation:
We have several sales offices that connect to our head office via an ipsec connection, which is
established by a Draytek router. On our server side we have a Linux server running with openswan
(Linux Openswan U2.6.20/K126.96.36.199-smp (netkey)).
Our head office internal network range is 192.168.2.x/24 and our sales offices are in the range of
10.0.x.0/24. So, e.g.:
Remote office LAN 1
Draytek router (10.0.2.1)
Linux server (ext. ip: a.b.c.d)
Head office LAN
The remote offices are for the most part connected to internet with a dynamic ip address (roadwarrior)
and so I have used an ID to keep them apart.
My ipsec.conf file is as followed:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
left=a.b.c.d (=external ip Linux server)
leftsourceip=192.168.2.3 (=internal LAN address Linux server)
leftsubnet=192.168.2.0/24 (=internal subnet on head office side)
right=%any (=other side uses dynamic ip so have to use %any here)
rightsourceip=10.0.2.1 (=local ip address of Draytek router from other side)
rightsubnet=10.0.2.0/24 (=local subnet of remote office 1)
rightid=@RemoteOffice1 (=ID for office to identify which tunnel to use)
And there are more offices configured in the file but they are much the same, except for the subnet.
The Draytek routers can connect without any problem and I can ping the remote subnets from the Linux server.
I can also ping the remote computers in the remote offices from the Head Office LAN.
It is however not possible to ping a system in Remote Office 2 from Remote Office 1:
e.g. In Remote Office 1: ping 10.0.3.1
After using a "tcpdump -n icmp" I saw that traffic is going from the computer in Remote Office 1 to the Linux server
but from there it doesn't travel to the Remote Office 2.
How will I be able to access services in Remote Office 2 from Remote Office 1 (e.g. ping or access to a web server)?
Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users