[Openswan Users] vpn site to site for list of ip's

Daniel Pezoa dpforos at yahoo.com
Fri Sep 10 11:44:23 EDT 2010 

Hi Paul,
thanks for the suggestion, i have tried the following configuration:

conn xxx_yyy1
    leftsubnet=172.16.56.29/32
    also=xxx_yyy_base
conn xxx_yyy2
    leftsubnet=172.16.56.158/32
    also=xxx_yyy_base
conn xxx_yyy_base 
    type=tunnel
    left=xxx.xxx.xxx.xxx
    right=yyy.yyy.yyy.yyy
    rightsubnet=192.168.100.0/24
    authby=secret
    ike="3des-sha1-modp1024"
    ikelifetime=24h
    phase2alg="3des-sha1;modp1024"
    salifetime=1h
    pfs=no
    auto=start

that one let me access only the ip: 172.16.56.29 ; but not the other ip 
172.16.56.158

if i change the order of my destination ip's i get access to the other one: 
172.16.56.158 ; but not to the ip 172.16.56.29

conn xxx_yyy1
    leftsubnet=172.16.56.29/32
    also=xxx_yyy_base
conn xxx_yyy2
    leftsubnet=172.16.56.158/32
    also=xxx_yyy_base
conn xxx_yyy_base 
    type=tunnel
    left=xxx.xxx.xxx.xxx
    right=yyy.yyy.yyy.yyy
    rightsubnet=192.168.100.0/24
    authby=secret
    ike="3des-sha1-modp1024"
    ikelifetime=24h
    phase2alg="3des-sha1;modp1024"
    salifetime=1h
    pfs=no
    auto=start

I understand what is happening, but not how to solve the situation. The first 
destination is the one used and the other one is discarded because the ip's are 
in the same segment (172.26.56.0/24), but how should i put some specific 10 ip's 
as the destination, without overlaping and getting access only to the first one.

Thanks in advance

Daniel






----- Original Message ----
From: Paul Wouters <paul at xelerance.com>
To: Daniel Pezoa <dpforos at yahoo.com>
Cc: users at openswan.org
Sent: Thu, September 9, 2010 10:50:18 PM
Subject: Re: [Openswan Users] vpn site to site for list of ip's

On Thu, 9 Sep 2010, Daniel Pezoa wrote:

> I have been making a configuration for site to site vpn with the following
> alternates configurations (i have tried one at once):
>
> 1.- Old style
>
> conn xxx_yyy1
>    leftsubnets={172.16.56.29/32}

Can you try writing that as a single, eg leftsubnet=172.16.56.29/32

>    also=xxx_yyy_base
> conn xxx_yyy2
>    leftsubnets={172.16.56.158/32}

and leftsubnet=172.16.56.158/32

>    also=xxx_yyy_base
> conn xxx_yyy_base
>    type=tunnel
>    left=xxx.xxx.xxx.xxx
>    right=yyy.yyy.yyy.yyy
>    rightsubnets={192.168.100.0/24}

and rightsubnet=192.168.100.0/24

>    authby=secret
>    ike="3des-sha1-modp1024"
>    ikelifetime=24h
>    phase2alg="3des-sha1;modp1024"
>    salifetime=1h
>    pfs=no
>    auto=start

And see if that makes it work ?

> 2.- New style
>
> conn xxx_yyy2
>    type=tunnel
>    left=xxx.xxx.xxx.xxx
>    leftsubnets={172.16.56.158/32,172.16.56.29/32}
>    right=yyy.yyy.yyy.yyy
>    rightsubnets={192.168.100.0/24}
>    authby=secret
>    ike="3des-sha1-modp1024"
>    ikelifetime=24h
>    phase2alg="3des-sha1;modp1024"
>    salifetime=1h
>    pfs=no
>    auto=start
>
> the problem i have is the following, the vpn can by established and work, but
> only for one of the to destination ip's the last one, if i change the order 
the
> other ip is the one that work. The question is how i put a list of ip
> destination for site to site vpn, anywhone can help me with that throuble.

That might be a bug in the remote end's implementation or configuration then,
especially if my suggestion above does not work.

Paul

More information about the Users mailing list