[Openswan Users] Not able to ping other subnet

Greg Scott GregScott at InfraSupportEtc.com
Sat Mar 20 12:19:42 EDT 2010 

Hi Dennis - 

 

You want to route like this

 

    Office1 à Head office à Office2 

 

with tunnels connecting office1 and the head office, and office2 and the head office, right?

 

I've been down this road before.  The summary is, with IPSEC, if you want Office1 and Office2 to see each other, you must set up a tunnel connecting those two offices directly.  Every site that wants to see the other site needs a tunnel connecting them.  It won't work to have an intermediate site terminate one tunnel and then expect the intermediate site to send data down a different tunnel to the third site.   Somebody correct me if I'm wrong, but it's been my experience that the virtual star topology just won't work with IPSEC.  

 

OpenVPN claims the ability to do this but I haven't tried it first-hand.  

 

-          Greg Scott

 

 

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Nick Howitt
Sent: Friday, March 19, 2010 4:19 PM
To: Dennis van der Meer
Cc: users at openswan.org
Subject: Re: [Openswan Users] Not able to ping other subnet

 

Dennis,

Are you sure the Draytek at Remote Office 1 is routing traffic to Remote Office 2 via the head office? I don't believe it would normally do that unless you have set up a specific route.

As an aside, why have you enabled NAT Traversal?
Not an Openswan solution, but can you not set up direct VPN's between the Drayteks?



On 19/03/2010 08:40, Dennis van der Meer wrote: 

Hi,

 

I have the following situation:

 

We have several sales offices that connect to our head office via an ipsec connection, which is

established by a Draytek router. On our server side we have a Linux server running with openswan

(Linux Openswan U2.6.20/K2.6.27.7-smp (netkey)).

 

Our head office internal network range is 192.168.2.x/24 and our sales offices are in the range of

10.0.x.0/24. So, e.g.:

 

Remote office LAN 1

(10.0.2.0/24)

|

Draytek router (10.0.2.1)

|

Internet

|

Linux server (ext. ip: a.b.c.d)

(192.168.2.3)

|

Head office LAN

(192.168.2.0/24)

 

The remote offices are for the most part connected to internet with a dynamic ip address (roadwarrior)

and so I have used an ID to keep them apart.

 

My ipsec.conf file is as followed:

 

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

 

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

 

 

version 2.0     # conforms to second version of ipsec.conf specification

 

# basic configuration

config setup

        uniqueids=yes

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v

        protostack=netkey

        plutodebug=none

        klipsdebug=none

 

conn %default

        keyingtries=0

        disablearrivalcheck=no

        authby=secret

        dpddelay=60

        dpdtimeout=120

        dpdaction=clear

 

conn Office1

        auto=add

        left=a.b.c.d              (=external ip Linux server)

        leftsourceip=192.168.2.3  (=internal LAN address Linux server)

        leftsubnet=192.168.2.0/24 (=internal subnet on head office side)

 

        right=%any                (=other side uses dynamic ip so have to use %any here)

        rightsourceip=10.0.2.1    (=local ip address of Draytek router from other side)

        rightsubnet=10.0.2.0/24   (=local subnet of remote office 1)

        rightid=@RemoteOffice1    (=ID for office to identify which tunnel to use)

 

        keyexchange=ike

        keyingtries=5

        type=tunnel

        disablearrivalcheck=no

        authby=secret

        pfs=yes

 

conn Office2

        auto=add

        left=a.b.c.d

        leftsourceip=192.168.2.3

        leftsubnet=192.168.2.0/24

 

        right=%any

        rightsourceip=10.0.3.1

        rightsubnet=10.0.3.0/24

        rightid=@RemoteOffice2

 

        keyexchange=ike

        keyingtries=5

        type=tunnel

        disablearrivalcheck=no

        authby=secret

        pfs=yes

 

And there are more offices configured in the file but they are much the same, except for the subnet.

The Draytek routers can connect without any problem and I can ping the remote subnets from the Linux server.

I can also ping the remote computers in the remote offices from the Head Office LAN.

It is however not possible to ping a system in Remote Office 2 from Remote Office 1:

e.g. In Remote Office 1: ping 10.0.3.1

After using a "tcpdump -n icmp" I saw that traffic is going from the computer in Remote Office 1 to the Linux server

but from there it doesn't travel to the Remote Office 2.

 

How will I be able to access services in Remote Office 2 from Remote Office 1 (e.g. ping or access to a web server)?

 

 

Regards,

 

Dennis

 
 
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100320/d0209c55/attachment-0001.html

More information about the Users mailing list