[Openswan Users] Not able to ping other subnet

Nick Howitt n1ck.h0w1tt at gmail.com
Mon Mar 22 08:56:14 EDT 2010


Dennis,

Again, nothing to do with Openswan, but there is no problem setting up  
VPN's between Drayteks on dynamic IP's. You will need to use a dynamic  
DNS service such as DtDNS (which is better than DynDNS with  
Draytek's), but otherwise the set up is straight forward. I have been  
doing it for a few years now. I do understand there would be a bit of  
work to get all the routers set up. A lot of their routers support 16+  
or 32+ simultaneous tunnels so 7 offices should be fine.

Nick

Quoting "Dennis van der Meer" <dennisvandermeer at greenchem-adblue.com>:

> Hi Nick,
>
>
>
> Yes, I have done this. I know the Draytek router doesn't know anything
> about the other subnets and cannot route
>
> traffic otherwise. I was able to receive the ICMP requests on my Linux
> server so they travel across the vpn to the
>
> head office. They just don't travel to the other side.
>
> I have no idea why I enabled NAT Traversal. I think I saw it in an
> example somewhere when I first tried to get things
>
> working and left it in there. Direct VPN's between the Drayteks will not
> work because the local offices do not have
>
> a static IP address. That's why I want everything to go through the head
> office. And besides, it will create a lot of
>
> overhead. There are about 7 regional offices and I would need a lot of
> vpn connections to get all the offices to talk
>
> to each other.
>
>
>
>
>
> Dennis,
>
> Are you sure the Draytek at Remote Office 1 is routing traffic to Remote
> Office 2 via the head office? I don't believe it would normally do that
> unless you have set up a specific route.
>
> As an aside, why have you enabled NAT Traversal?
> Not an Openswan solution, but can you not set up direct VPN's between
> the Drayteks?
>
>
>
> On 19/03/2010 08:40, Dennis van der Meer wrote:
>
> Hi,
>
>
>
> I have the following situation:
>
>
>
> We have several sales offices that connect to our head office via an
> ipsec connection, which is
>
> established by a Draytek router. On our server side we have a Linux
> server running with openswan
>
> (Linux Openswan U2.6.20/K2.6.27.7-smp (netkey)).
>
>
>
> Our head office internal network range is 192.168.2.x/24 and our sales
> offices are in the range of
>
> 10.0.x.0/24. So, e.g.:
>
>
>
> Remote office LAN 1
>
> (10.0.2.0/24)
>
> |
>
> Draytek router (10.0.2.1)
>
> |
>
> Internet
>
> |
>
> Linux server (ext. ip: a.b.c.d)
>
> (192.168.2.3)
>
> |
>
> Head office LAN
>
> (192.168.2.0/24)
>
>
>
> The remote offices are for the most part connected to internet with a
> dynamic ip address (roadwarrior)
>
> and so I have used an ID to keep them apart.
>
>
>
> My ipsec.conf file is as followed:
>
>
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
>
> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
>
>
>
> # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
>
> #
>
> # Manual:     ipsec.conf.5
>
>
>
>
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
>
>
> # basic configuration
>
> config setup
>
>         uniqueids=yes
>
>         nat_traversal=yes
>
>
> virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v
>
>         protostack=netkey
>
>         plutodebug=none
>
>         klipsdebug=none
>
>
>
> conn %default
>
>         keyingtries=0
>
>         disablearrivalcheck=no
>
>         authby=secret
>
>         dpddelay=60
>
>         dpdtimeout=120
>
>         dpdaction=clear
>
>
>
> conn Office1
>
>         auto=add
>
>         left=a.b.c.d              (=external ip Linux server)
>
>         leftsourceip=192.168.2.3  (=internal LAN address Linux server)
>
>         leftsubnet=192.168.2.0/24 (=internal subnet on head office side)
>
>
>
>         right=%any                (=other side uses dynamic ip so have
> to use %any here)
>
>         rightsourceip=10.0.2.1    (=local ip address of Draytek router
> from other side)
>
>         rightsubnet=10.0.2.0/24   (=local subnet of remote office 1)
>
>         rightid=@RemoteOffice1    (=ID for office to identify which
> tunnel to use)
>
>
>
>         keyexchange=ike
>
>         keyingtries=5
>
>         type=tunnel
>
>         disablearrivalcheck=no
>
>         authby=secret
>
>         pfs=yes
>
>
>
> conn Office2
>
>         auto=add
>
>         left=a.b.c.d
>
>         leftsourceip=192.168.2.3
>
>         leftsubnet=192.168.2.0/24
>
>
>
>         right=%any
>
>         rightsourceip=10.0.3.1
>
>         rightsubnet=10.0.3.0/24
>
>         rightid=@RemoteOffice2
>
>
>
>         keyexchange=ike
>
>         keyingtries=5
>
>         type=tunnel
>
>         disablearrivalcheck=no
>
>         authby=secret
>
>         pfs=yes
>
>
>
> And there are more offices configured in the file but they are much the
> same, except for the subnet.
>
> The Draytek routers can connect without any problem and I can ping the
> remote subnets from the Linux server.
>
> I can also ping the remote computers in the remote offices from the Head
> Office LAN.
>
> It is however not possible to ping a system in Remote Office 2 from
> Remote Office 1:
>
> e.g. In Remote Office 1: ping 10.0.3.1
>
> After using a "tcpdump -n icmp" I saw that traffic is going from the
> computer in Remote Office 1 to the Linux server
>
> but from there it doesn't travel to the Remote Office 2.
>
>
>
> How will I be able to access services in Remote Office 2 from Remote
> Office 1 (e.g. ping or access to a web server)?
>
>
>
>
>
> Regards,
>
>
>
> Dennis
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>



More information about the Users mailing list