[Openswan Users] Problems: protected subnets

SilverTip257 silvertip257 at gmail.com
Tue Mar 1 10:10:22 EST 2011

Well I deserve to be told to "Read the Manual".

My whole problem was that I only established the tunnel between
subneta and subnetb.
Now that I have a proper 4conns configuration my tunnel allows access
between protected hosts and gateways.

subneta-subnetb, subneta-hostb, hosta-subnetb, hosta-hostb

Now it's time for me to look into the use of also= ... my configs are
huge/long right now!

//  SilverTip257  //

Fortune Cookie:  "Digital circuits are made from analog parts."

On Sat, Feb 26, 2011 at 21:35, SilverTip257 <silvertip257 at gmail.com> wrote:
> Hello,
> I'm attempting to set up an Openswan to Openswan IPsec tunnel.  I
> started out with host-to-host and now I'm attempting a protected
> subnet setup.
> CentOS = Linux Openswan U2.6.21/K2.6.18-164.el5 (netkey)
> Debian = Linux Openswan U2.4.12/K2.6.26-2-686 (netkey)
> I'm having problems setting up a host to host with protected subnets.
> I can establish and communicate over a host-to-host without subnets
> just fine by leaving out the leftsubnet/rightsubnet lines.
> # Network Topology
><-->( --|-- )<-->
> has a subnet behind it (actual subnet)
> has a subnet behind it (virtual interface)
> I created a MITM setup with a custom Linux router in the middle so I
> could sniff all the traffic (to make sure things are truly working).
> I have found that if I do not specify the 110 and 111 interfaces (on
> the respective hosts) as a default gateway and remove my main network
> as a DFGW that usually one end has trouble locating the other.
> Because I threw the Linux router in the middle, that's my doing I
> expect -- I'm not asking for help on that unless someone has an idea.
> But as long as I set the test nics as the each host's gateway and
> remove the other gateway it works without a hitch given the simple PSK
> config.
> # Simple config
> conn cent-deb
>       authby=secret
>       auto=add
>       left=
>       right=
> # Subnet config -- the one that's not working
> conn cent-deb
>       authby=secret
>       auto=add
>       left=
>       leftsubnet=
>       right=
>       rightsubnet=
> Regardless of which connection config I use I still get a message like
> below every time I bring the conn up.
> Proof the tunnel has been established:
> # /var/log/auth.log on Debian
> # or /var/log/secure on RedHat
> Feb 26 20:30:27 debian507-vm pluto[3445]: "cent-deb" #26:
> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x297c2119
> <0x175eddd3 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
> *** When using the subnet config, none of the pings between hosts is
> encrypted and additionally...
> I have noticed (once I try to bring the tunnel up) that my right
> host's routing table has an entry for the leftsubnet
> network, BUT the left host does not have an entry for the rightsubnet
> (which is a virtual interface at the moment - Debian
> eth1:1 assigned
> Please let me know what additional information is necessary to
> troubleshoot this problem.
> I can show up in the #openswan IRC channel to answer
> questions/troubleshoot as well.
> Thank you,
> ---~~.~~---
> Mike
> //  SilverTip257  //

More information about the Users mailing list