[Openswan Users] linux to linux connection is setup ok but hosts cannot ping through the connection
Bob Miller
bob at computerisms.ca
Mon Nov 15 12:16:29 EST 2010
Interesting. I recently setup a tunnel where one end had only one
interface but needed a subnet configuration, and I used a virtual
interface eth0:1 for it. The thing that took me a long time to figure
out was the iptables rules to make it work, but you say that is not a
factor here.
I have two suggestions: in your linux-to-linux conn, try leftsourceip
and rightsourceip, you need those to ping the actual gateways of each
subnet at each end, and have you tried dumping traffic to see where
packets are actually going?
On Mon, 2010-11-15 at 17:25 +0200, Piavlo wrote:
> Hi,
>
> I hope someone can help me as I'm really stuck with this.
>
> I've two linux hosts running ubuntu maverick with openswan 2.6.26
> The ISAKMP and IPsec SAs are established ok , but I can not ping subnet
> ip through the tunnel.
>
> Both hosts have only one physical interface through which IPsec tunnel
> is established.
> In order to have a subnet like behaviour I've setup virtual interface as
> TAP device and assigned ip address to in on each host.
>
> The ipsec.conf is:
> ------------
> config setup
> nat_traversal=yes
> virtual_private=%v4:192.168.0.0/16
> oe=off
> protostack=netkey
>
> conn linux-to-linux
> connaddrfamily=ipv4
> type=tunnel
> authby=rsasig
> ike=3des-sha1
> phase2=esp
> phase2alg=3des-sha1
> left=10.227.37.62
> leftid=@vpn01a
> leftsubnet=192.168.1.0/24
> leftrsasigkey=0sAwE....
> right=10.235.41.152
> rightid=@vpn01b
> rightsubnet=192.168.2.0/24
> rightrsasigkey=0sAwE...
> auto=add
> ---------------
>
> And relevant interface configs are:
> ------------------
> #On vpn01a /etc/network/interfaces
> auto tap0
> iface tap0 inet static
> pre-up /usr/sbin/openvpn --mktun --dev tap0
> post-down /usr/sbin/openvpn --rmtun --dev tap0
> address 192.168.1.1
> netmask 255.255.255.0
>
> root at vpn01a:~# netstat -rn
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt
> Iface
> 10.227.37.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
> tap0
> 0.0.0.0 10.227.37.1 0.0.0.0 UG 0 0 0
> eth0
> root at vpn01a:~#
> -----------------
> #On vpn01b /etc/network/interfaces
> auto tap0
> iface tap0 inet static
> pre-up /usr/sbin/openvpn --mktun --dev tap0
> post-down /usr/sbin/openvpn --rmtun --dev tap0
> address 192.168.2.1
> netmask 255.255.255.0
>
> root at vpn01b:~# netstat -rn
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt
> Iface
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
> tap0
> 10.235.41.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 0.0.0.0 10.235.41.1 0.0.0.0 UG 0 0 0
> eth0
> root at vpn01b:~#
> ------------------
>
> So then i'm on vpn01a I can not ping 192.168.2.1 (but obviously can
> ping 192.168.1.1)
> and vice versa on vpn01b.
>
> No firewall is running on these hosts, and no nat between the hosts.
>
> I've tried changing almost everything I could think of but nothing helps.
> For example changing left/rightsubnet=192.168.X.0/24 two
> left/rightsubnet=192.168.X.1/32
> and tap0 inetface netmask from 255.255.255.0 to 255.255.255.255.
> Changing nat_traversal to no or left/rightnexthop to different values
> and much more I can't even remember of now.
>
> So if anyone has got any clues , please help.
>
> Thanks a lot
> Alex
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Bob Miller
334-7117/660-5315
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions
More information about the Users
mailing list