[Openswan Users] net-to-net with multiple subnets, unrouted
Paul Wouters
paul at xelerance.com
Tue Nov 23 00:02:46 EST 2010
On Mon, 22 Nov 2010, kallen at groknaut.net wrote:
> hi there. i'm having some difficulty setting up net-to-net with multiple
> subnets on both the left and right sides, and could use some help. let me
> know if you'd like to see the barf.
>
> three essential questions at the outset:
>
> 1) on the linux gateway host, what is the correct way to tell it to route
> packets thru the tunnel? there are a few incantations of "route add".
> i think i've done it correctly, but i'd like to verify.
You should not need to do any manual "route add" commands. If you are doing them
manually, you are more likely breaking it further.
> 2) why do 3 out of 4 of my "connections" show as "unrouted; eroute owner: #0"?
> and why does the linux gateway keep trying to, i think, negotiate add'l
> IPSEC SAs? and why do those attempts fail? is it a misconfig on my end, a
> misconfig on the Juniper end? or an interop problem?
Can you show some more logs here?
> 3) when sending packets from the left to the right, why the following?
> - ping succeeds from left to right
> - netcat hitting a TCP port works (if i provide a source address)
> - telneting to that same port does NOT work (i can't provide source
> address to the telnet command)
Because your gateway automatically uses its "nearest IP" to talk to the remote
subnet, which in your case is your public ip. This public ip is not part of the
tunnel, so it fails. Add leftsourceip=YourInternalIP and it will create the
proper route for you to use its internal IP to talk to the remote subnet.
Paul
More information about the Users
mailing list