[Openswan Users] IPsec-Setup

Thomas Schweikle tps at vr-web.de
Tue Apr 12 17:01:13 EDT 2011 

Am 12.04.2011 21:20, schrieb Willie Gillespie:
> On 4/12/2011 8:42 AM, Thomas Schweikle wrote:
>> For the client:
>> http://home.vrweb.de/~tps/config/ipsec-ns3/barf.txt.html
>> http://home.vrweb.de/~tps/config/ipsec-ns3/ipsec.conf.html
>> http://home.vrweb.de/~tps/config/ipsec-ns3/ipsec.secrets.html
>> http://home.vrweb.de/~tps/config/ipsec-ns3/pluto.err.html
>> http://home.vrweb.de/~tps/config/ipsec-ns3/status.txt.html
>>
>> For the server:
>> http://home.vrweb.de/~tps/config/ipsec-vpn/barf.txt.html
>> http://home.vrweb.de/~tps/config/ipsec-vpn/ipsec.conf.html
>> http://home.vrweb.de/~tps/config/ipsec-vpn/ipsec.secrets.html
>> http://home.vrweb.de/~tps/config/ipsec-vpn/pluto.err.html
>> http://home.vrweb.de/~tps/config/ipsec-vpn/status.txt.html
> 
> Is this a new config?  It'd be simpler to only have your nn-bn and nb 
> conns.  As I recall (someone can correct me if I'm wrong), but that 
> should be all that you need as far as tunnels go.

I was sure, I double some configs not necessary to double. :-)
But: it was my first configuration. It ran halfways. I could ping
from one gateway to the other, but not from one subnet to the other.

This is true for this config either. I can ping from gateway to
gateway, but I can't ping from gateway to any other host than the
gateway on the remote side. Same for any local host: none of them
can reach any remote connected host. It just doesn't work. No
additional route setup, no sourcerouting, no nothing. In short: I
can connect the gateways, but not the networks.

> leftsourceip
> 	the IP address for this host to use when transmitting a packet to the 
> other side of this link. Relevant only locally, the other end need not 
> agree. This option is used to make the gateway itself use its internal 
> IP, which is part of the leftsubnet, to communicate to the rightsubnet 
> or right. Otherwise, it will use its nearest IP address, which is its 
> public IP address. This option is mostly used when defining 
> subnet-subnet connections, so that the gateways can talk to each other 
> and the subnet at the other end, without the need to build additional 
> host-subnet, subnet-host and host-host tunnels. Both IPv4 and IPv6 
> addresses are supported.

That is what I've read. Adding (left|right)sourceip= again made the
connection gateway/gateway work, but not any of the other hosts are
reachable. I could connect two hosts, but not two networks.
Removing the gateway/network network/gateway and gateway/gateway
configs doesn't change anything: I can ping from gateway to gateway,
but not from network to gateway or network to network.


-- 
Thomas

More information about the Users mailing list