[Openswan Users] Openswan with NETKEY and monitoring data

Mark Dalton mdalton at princeton.edu
Wed Apr 6 17:04:14 EDT 2011 

Thank you for the reply.   I was making changes to my config to
try things.. (But I am still connected after restarting).


Either way.. I want to see the clients when the come to my end
and see the data unencrypted and each individual client.
I have tried with and without NAT.

Can I do this?

On 04/06/2011 04:08 PM, Paul Wouters wrote:
> On Wed, 6 Apr 2011, Mark Dalton wrote:
>
>> I am not seeing the data to the destination host.
>>
>>      192.168.1.0/25 -- Cisco VPN ---- (eth0)OpenSwan -- (eth2) virtual
>> IPs 192.168.0.0/25
>>         (internal)           (public IP)        (public)
      192.168.0.0/25
       But I had to set it up as
        0.0.0.0/0
> Did you really mean /25 and not /24?
>
Yes, it was the other end gave us /25.
>>          We just see 'src 192.168.', the other data we see is mostly
>>          ESP -->  OpenSwan (public IP)
> The ESP is the encrypted data.
Yes, I want to have the data 'pass through' from the VPN to

                                                                      
encrypted

      other gw -- local eth2  --- openswan eth0 ------ Cisco VPN --- 
right side clients
                  192.168.0.0/25                     publicIP     public 
IP    ---  192.168.1.0/25

>> conn tunnel
>>           type=                  tunnel
>>           authby=              secret
>>           left=<openswan public IP>
>>           leftsubnet=         0.0.0.0/0
>>           leftnexthop=       192.168.0.0
> That's not a valid nexthop. It should point to the IP of the gateway on the interface you
> need to go out on, or in the default non-specified way, that of the %defaultroute.
>
Yes, I had it as default route and was playing with it to see if I could 
force it
to go through eth2 (which had the 192.168.0.0 network).
Previous to playing with this to make it work differently I had:
     leftnexthop=    %defaultroute
>>           right=<ext cisco public IP>
>>           rightsubnet=       192.168.1.0/25
> Note 0.0.0.0/0<->  192.168.1.0/25 does not match your diagram at the top that has
> 192.168.1.0/25<->  192.168.0.0/25
>
My diagram refeverses the left/right.   Yes, I found I had to set it to 
be 0.0.0.0/0
per the instructions from the other end, although
      192.168.0.0/25

  But I had to set it up as to get this to work..
          0.0.0.0/0

The Cisco (right side) has:

>  permit ip 192.168.1.0 0.0.0.127 any
>  !
>
>  our side (apparently the IPs?)
>    permit ip any 192.168.1.0 0.0.0.127
>
>  !

More information about the Users mailing list