[Openswan Users] net-to-net with multiple subnets, unrouted
kallen at groknaut.net
kallen at groknaut.net
Tue Nov 23 03:27:29 EST 2010
On Tue, 23 Nov 2010, Paul Wouters wrote:
> On Mon, 22 Nov 2010, kallen at groknaut.net wrote:
>>
>> 1) on the linux gateway host, what is the correct way to tell it to route
>> packets thru the tunnel? there are a few incantations of "route add".
>> i think i've done it correctly, but i'd like to verify.
>
> You should not need to do any manual "route add" commands. If you are doing them
> manually, you are more likely breaking it further.
ah! noted.
>> 2) why do 3 out of 4 of my "connections" show as "unrouted; eroute owner: #0"?
>> and why does the linux gateway keep trying to, i think, negotiate add'l
>> IPSEC SAs? and why do those attempts fail? is it a misconfig on my end, a
>> misconfig on the Juniper end? or an interop problem?
>
> Can you show some more logs here?
yep. do you want plutodebug="all"? if so, i've got a 4300+ lines of log
(347K uncompressed). ok to send it to list?
>> 3) when sending packets from the left to the right, why the following?
>> - ping succeeds from left to right
>> - netcat hitting a TCP port works (if i provide a source address)
>> - telneting to that same port does NOT work (i can't provide source
>> address to the telnet command)
>
> Because your gateway automatically uses its "nearest IP" to talk to the remote
> subnet, which in your case is your public ip. This public ip is not part of the
> tunnel, so it fails. Add leftsourceip=YourInternalIP and it will create the
> proper route for you to use its internal IP to talk to the remote subnet.
noted. thanks!
after using leftsourceip, keeping my hands off the routes, and firing
it up, i have a route to one of the two rightsubnets:
192.168.101.0 5.5.5.100 255.255.255.0 UG 0 0 0 eth1
but how to get routes for all rightsubnets? probably is a symptom of the
problem in #2 above.
thanks,
kallen
More information about the Users
mailing list