[Openswan Users] openswan and "one armed" routing question.

jason at monsterjam.org jason at monsterjam.org
Thu Jul 26 15:42:30 EDT 2012


hey, we are trying something somewhat insane here.. we have an ssh vpn/tunnel established between 2 linux hosts with 

/usr/bin/ssh  -w0:0 10.81.114.142
and on server one, we have 
 tun0 192.168.1.1 netmask 255.255.255.252
and server two has 
tun0 192.168.1.2 netmask 255.255.255.252

thats all fine and dandy, but what we want to do is run the openswan ipsec THROUGH this ssh vpn..
for instance, we have 

server one with eth0 of addr:10.81.114.89 on 10.81.114.65/27

server two with eth0 of addr:10.81.114.142 on 10.81.114.129/27

so my question is.. can openswan with netkey act as a one armed router in this instance and tunnel traffic between
the 2 networks.. i.e. in my ipsec.conf (server one) config, we have 


# basic configuration
config setup
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:!192.168.0.0/16,%v4:10.81.114.64/27

conn mytunnel
    	type=tunnel
	left=192.168.1.1
	Right=192.168.1.2
	leftsubnet=10.81.114.64/27
	rightsubnet=10.81.114.128/27
	leftnexthop=%defaultroute
	rightnexthop=%defaultroute
	auto=start
	authby=secret

server two config 

# basic configuration
config setup
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:!192.168.0.0/16,%v4:10.81.114.128/27

conn mytunnel
        type=tunnel
        left=192.168.1.1
        Right=192.168.1.2
        leftsubnet=10.81.114.64/27
        rightsubnet=10.81.114.128/27
        leftnexthop=%defaultroute
        rightnexthop=%defaultroute
        auto=start
        authby=secret




using shared keys for the authentication, i keep getting stuck at 

000 "Tunnel":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 
000 #3: "Tunnel":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 6s; nodpd; idle; import:admin initiate
000 #3: pending Phase 2 for "Tunnel" replacing #0
000 #3: pending Phase 2 for "Tunnel" replacing #0
000 #3: pending Phase 2 for "Tunnel" replacing #0


suggestions? has anyone done this before?

Jason 



More information about the Users mailing list