[Openswan Users] Multi-hop IPSec

Kevin Keane (subscriptions) subscription at kkeane.com
Fri Nov 18 07:11:23 EST 2011


I would like to connect two sites with IPSec, and would like some help setting it up correctly. Most everything works, except that the two private subnets behind the gateways can't reach each other.

All devices use openswan 2.6.21 on CentOS 5.7, except for a fairly new Sonicwall device.

Site 1 has an unencrypted 192.168.0.0 network behind a Sonicwall gateway.

Site 2 consists of two computers in a data center. Each computer has two NICs - one has a public IP address and connects to the Internet, the other connects to a private network in a 10.1.2.0 network. The private network is untrusted, so I am using IPSec over the 10.1.2.0 network to connect the two servers. I also want to use one of these two computers as a gateway to an IPSec connection to the Sonicwall.

Individually, these two IPSec connections work without a problem. But traffic from the non-gateway computer to the network behind the Sonicwall does not work, even though IP forwarding is enabled.

Here is a diagram:

Server 1 public (eth0,57.6.7.8 - default GW)
Server 1 private (eth1,10.1.2.17)
        ||
Server 2 private (eth1,10.1.2.98)
Server 2 public (eth0,57.3.4.5 - default GW) ===== Sonicwall gateway (68.6.7.8) ------ 192.168.0.0/24 

The connection between Server 2 and Sonicwall has

Leftsubnets=10.1.2.98/32,10.1.2.17/32,57.3.4.5/32
Rightsubnet=192.168.0.0/24

The connection between Server 2 and Server 1 has

Leftsubnet=10.1.2.98/32
Rightsubnet=10.1.2.17/32

I also added a route on Server 1: 192.168.0.0/24 via 10.1.2.98 dev eth1

With this configuration, I can ping between Server 2 and 192.168.0.19. I cannot ping between Server 1 and 192.168.0.19.

Any idea about where I may have gone wrong would help!

How would I go about troubleshooting this problem?

Thanks!




More information about the Users mailing list