[Openswan Users] Problems: protected subnets

Nick Howitt n1ck.h0w1tt at gmail.com
Tue Mar 1 14:49:08 EST 2011


Mike,

If you can, the "One tunnel plus advanced routing" example in your link 
with the left/rightsourceip is simpler, and despite the big bold letters 
below the example, it allows you to access the remote gateway by its LAN IP.

Nick

On 01/03/2011 15:10, SilverTip257 wrote:
> Well I deserve to be told to "Read the Manual".
> http://wiki.openswan.org/index.php/Openswan/MultipleTunnelsBetweenTheSameTwoGateways
>
> My whole problem was that I only established the tunnel between
> subneta and subnetb.
> Now that I have a proper 4conns configuration my tunnel allows access
> between protected hosts and gateways.
>
> subneta-subnetb, subneta-hostb, hosta-subnetb, hosta-hostb
>
> Now it's time for me to look into the use of also= ... my configs are
> huge/long right now!
>
> ---~~.~~---
> Mike
> //  SilverTip257  //
>
> Fortune Cookie:  "Digital circuits are made from analog parts."
>
>
>
> On Sat, Feb 26, 2011 at 21:35, SilverTip257<silvertip257 at gmail.com>  wrote:
>> Hello,
>>
>> I'm attempting to set up an Openswan to Openswan IPsec tunnel.  I
>> started out with host-to-host and now I'm attempting a protected
>> subnet setup.
>> CentOS = Linux Openswan U2.6.21/K2.6.18-164.el5 (netkey)
>> Debian = Linux Openswan U2.4.12/K2.6.26-2-686 (netkey)
>>
>> I'm having problems setting up a host to host with protected subnets.
>> I can establish and communicate over a host-to-host without subnets
>> just fine by leaving out the leftsubnet/rightsubnet lines.
>>
>> # Network Topology
>> 192.168.110.2<-->( 192.168.110.1/30 --|-- 192.168.111.1/30 )<-->192.168.111.2
>> 192.168.110.2 has a subnet behind it 172.16.0.32/27 (actual subnet)
>> 192.168.111.2 has a subnet behind it 10.0.2.0/24 (virtual interface)
>>
>> I created a MITM setup with a custom Linux router in the middle so I
>> could sniff all the traffic (to make sure things are truly working).
>> I have found that if I do not specify the 110 and 111 interfaces (on
>> the respective hosts) as a default gateway and remove my main network
>> as a DFGW that usually one end has trouble locating the other.
>> Because I threw the Linux router in the middle, that's my doing I
>> expect -- I'm not asking for help on that unless someone has an idea.
>> But as long as I set the test nics as the each host's gateway and
>> remove the other gateway it works without a hitch given the simple PSK
>> config.
>>
>> # Simple config
>> conn cent-deb
>>        authby=secret
>>        auto=add
>>        left=192.168.110.2
>>        right=192.168.111.2
>>
>> # Subnet config -- the one that's not working
>> conn cent-deb
>>        authby=secret
>>        auto=add
>>        left=192.168.110.2
>>        leftsubnet=172.16.0.32/27
>>        right=192.168.111.2
>>        rightsubnet=10.0.2.0/24
>>
>> Regardless of which connection config I use I still get a message like
>> below every time I bring the conn up.
>> Proof the tunnel has been established:
>> # /var/log/auth.log on Debian
>> # or /var/log/secure on RedHat
>> Feb 26 20:30:27 debian507-vm pluto[3445]: "cent-deb" #26:
>> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x297c2119
>> <0x175eddd3 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
>>
>> *** When using the subnet config, none of the pings between hosts is
>> encrypted and additionally...
>> I have noticed (once I try to bring the tunnel up) that my right
>> host's routing table has an entry for the leftsubnet 172.16.0.32/27
>> network, BUT the left host does not have an entry for the rightsubnet
>> 10.0.2.0/24 (which is a virtual interface at the moment - Debian
>> eth1:1 assigned 10.0.2.1).
>>
>> Please let me know what additional information is necessary to
>> troubleshoot this problem.
>> I can show up in the #openswan IRC channel to answer
>> questions/troubleshoot as well.
>>
>> Thank you,
>> ---~~.~~---
>> Mike
>> //  SilverTip257  //
>>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list