[Openswan Users] Not able to ping other subnet

Dennis van der Meer dennisvandermeer at greenchem-adblue.com
Mon Mar 22 04:10:17 EDT 2010 

Hi Nick,

 

Yes, I have done this. I know the Draytek router doesn't know anything
about the other subnets and cannot route 

traffic otherwise. I was able to receive the ICMP requests on my Linux
server so they travel across the vpn to the

head office. They just don't travel to the other side.

I have no idea why I enabled NAT Traversal. I think I saw it in an
example somewhere when I first tried to get things

working and left it in there. Direct VPN's between the Drayteks will not
work because the local offices do not have

a static IP address. That's why I want everything to go through the head
office. And besides, it will create a lot of

overhead. There are about 7 regional offices and I would need a lot of
vpn connections to get all the offices to talk

to each other.

 

 

Dennis,

Are you sure the Draytek at Remote Office 1 is routing traffic to Remote
Office 2 via the head office? I don't believe it would normally do that
unless you have set up a specific route.

As an aside, why have you enabled NAT Traversal?
Not an Openswan solution, but can you not set up direct VPN's between
the Drayteks?



On 19/03/2010 08:40, Dennis van der Meer wrote: 

Hi,

 

I have the following situation:

 

We have several sales offices that connect to our head office via an
ipsec connection, which is

established by a Draytek router. On our server side we have a Linux
server running with openswan

(Linux Openswan U2.6.20/K2.6.27.7-smp (netkey)).

 

Our head office internal network range is 192.168.2.x/24 and our sales
offices are in the range of

10.0.x.0/24. So, e.g.:

 

Remote office LAN 1

(10.0.2.0/24)

|

Draytek router (10.0.2.1)

|

Internet

|

Linux server (ext. ip: a.b.c.d)

(192.168.2.3)

|

Head office LAN

(192.168.2.0/24)

 

The remote offices are for the most part connected to internet with a
dynamic ip address (roadwarrior)

and so I have used an ID to keep them apart.

 

My ipsec.conf file is as followed:

 

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

 

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

 

 

version 2.0     # conforms to second version of ipsec.conf specification

 

# basic configuration

config setup

        uniqueids=yes

        nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v

        protostack=netkey

        plutodebug=none

        klipsdebug=none

 

conn %default

        keyingtries=0

        disablearrivalcheck=no

        authby=secret

        dpddelay=60

        dpdtimeout=120

        dpdaction=clear

 

conn Office1

        auto=add

        left=a.b.c.d              (=external ip Linux server)

        leftsourceip=192.168.2.3  (=internal LAN address Linux server)

        leftsubnet=192.168.2.0/24 (=internal subnet on head office side)

 

        right=%any                (=other side uses dynamic ip so have
to use %any here)

        rightsourceip=10.0.2.1    (=local ip address of Draytek router
from other side)

        rightsubnet=10.0.2.0/24   (=local subnet of remote office 1)

        rightid=@RemoteOffice1    (=ID for office to identify which
tunnel to use)

 

        keyexchange=ike

        keyingtries=5

        type=tunnel

        disablearrivalcheck=no

        authby=secret

        pfs=yes

 

conn Office2

        auto=add

        left=a.b.c.d

        leftsourceip=192.168.2.3

        leftsubnet=192.168.2.0/24

 

        right=%any

        rightsourceip=10.0.3.1

        rightsubnet=10.0.3.0/24

        rightid=@RemoteOffice2

 

        keyexchange=ike

        keyingtries=5

        type=tunnel

        disablearrivalcheck=no

        authby=secret

        pfs=yes

 

And there are more offices configured in the file but they are much the
same, except for the subnet.

The Draytek routers can connect without any problem and I can ping the
remote subnets from the Linux server.

I can also ping the remote computers in the remote offices from the Head
Office LAN.

It is however not possible to ping a system in Remote Office 2 from
Remote Office 1:

e.g. In Remote Office 1: ping 10.0.3.1

After using a "tcpdump -n icmp" I saw that traffic is going from the
computer in Remote Office 1 to the Linux server

but from there it doesn't travel to the Remote Office 2.

 

How will I be able to access services in Remote Office 2 from Remote
Office 1 (e.g. ping or access to a web server)?

 

 

Regards,

 

Dennis

 
 
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100322/a12e3582/attachment-0001.html

More information about the Users mailing list