[Openswan Users] Multi-hop IPSec

Kevin Keane (subscriptions) subscription at kkeane.com
Fri Nov 18 07:11:23 EST 2011

I would like to connect two sites with IPSec, and would like some help setting it up correctly. Most everything works, except that the two private subnets behind the gateways can't reach each other.

All devices use openswan 2.6.21 on CentOS 5.7, except for a fairly new Sonicwall device.

Site 1 has an unencrypted network behind a Sonicwall gateway.

Site 2 consists of two computers in a data center. Each computer has two NICs - one has a public IP address and connects to the Internet, the other connects to a private network in a network. The private network is untrusted, so I am using IPSec over the network to connect the two servers. I also want to use one of these two computers as a gateway to an IPSec connection to the Sonicwall.

Individually, these two IPSec connections work without a problem. But traffic from the non-gateway computer to the network behind the Sonicwall does not work, even though IP forwarding is enabled.

Here is a diagram:

Server 1 public (eth0, - default GW)
Server 1 private (eth1,
Server 2 private (eth1,
Server 2 public (eth0, - default GW) ===== Sonicwall gateway ( ------ 

The connection between Server 2 and Sonicwall has


The connection between Server 2 and Server 1 has


I also added a route on Server 1: via dev eth1

With this configuration, I can ping between Server 2 and I cannot ping between Server 1 and

Any idea about where I may have gone wrong would help!

How would I go about troubleshooting this problem?


More information about the Users mailing list