[Openswan Users] linux to linux connection is setup ok but hosts cannot ping through the connection

Piavlo piavka at cs.bgu.ac.il
Mon Nov 15 10:25:40 EST 2010 

 Hi,

I hope someone can help me as I'm really stuck with this.

I've two linux hosts running ubuntu maverick with openswan 2.6.26
The ISAKMP and IPsec SAs are established ok , but I can not ping subnet
ip through the tunnel.

Both hosts have only one physical interface through which IPsec tunnel
is established.
In order to have a subnet like behaviour I've setup virtual interface as
TAP device and assigned ip address to in on each host.

The ipsec.conf is:
------------
config setup
        nat_traversal=yes
        virtual_private=%v4:192.168.0.0/16
        oe=off
        protostack=netkey

conn linux-to-linux
        connaddrfamily=ipv4
        type=tunnel
        authby=rsasig
        ike=3des-sha1
        phase2=esp
        phase2alg=3des-sha1
        left=10.227.37.62
        leftid=@vpn01a
        leftsubnet=192.168.1.0/24
        leftrsasigkey=0sAwE....
        right=10.235.41.152
        rightid=@vpn01b
        rightsubnet=192.168.2.0/24
        rightrsasigkey=0sAwE...
        auto=add
---------------

And relevant interface configs are:
------------------
#On vpn01a /etc/network/interfaces
auto tap0
iface tap0 inet static
        pre-up /usr/sbin/openvpn --mktun --dev tap0
        post-down /usr/sbin/openvpn --rmtun --dev tap0
        address 192.168.1.1
        netmask 255.255.255.0

root at vpn01a:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
10.227.37.0     0.0.0.0         255.255.255.0   U         0 0          0
eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0
tap0
0.0.0.0         10.227.37.1     0.0.0.0         UG        0 0          0
eth0
root at vpn01a:~#
-----------------
#On vpn01b /etc/network/interfaces
auto tap0
iface tap0 inet static
        pre-up /usr/sbin/openvpn --mktun --dev tap0
        post-down /usr/sbin/openvpn --rmtun --dev tap0
        address 192.168.2.1
        netmask  255.255.255.0

root at vpn01b:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0
tap0
10.235.41.0     0.0.0.0         255.255.255.0   U         0 0          0
eth0
0.0.0.0         10.235.41.1     0.0.0.0         UG        0 0          0
eth0
root at vpn01b:~#
------------------

So then i'm on vpn01a I can not ping 192.168.2.1 (but obviously can
ping  192.168.1.1)
and vice versa on vpn01b.

No firewall is running on these hosts, and no nat between the hosts.

I've tried changing almost everything I could think of but nothing helps.
For example changing left/rightsubnet=192.168.X.0/24 two
left/rightsubnet=192.168.X.1/32
and tap0 inetface netmask  from 255.255.255.0 to 255.255.255.255.
Changing nat_traversal to no or left/rightnexthop to different values
and much more I can't even remember of now.

So if anyone has got any clues , please help.

Thanks a lot
Alex

More information about the Users mailing list