[Openswan Users] Public subnet extrusion
Tuomo Soini
tis at foobar.fi
Thu Mar 1 02:25:09 EST 2012
On Fri, 24 Feb 2012 01:17:39 +0100
Niccolò Belli <darkbasic at linuxsystems.it> wrote:
> Hi,
>
> Host A is a server with a 5.5.5.0/24 public subnet, host B is a
> roadwarrior (dynamic ip, nat).
>
> I want to give a public ip to the roadwarrior (let's say 5.5.5.100).
> The roadwarrior's internal ip is in the 192.168.20.0/24 range (let's
> say 192.168.20.150).
>
> Server (A) ipsec.conf:
>
> nat_traversal=yes
>
> conn server-roadwarrior
> authby=rsasig
> left=5.5.5.1
> leftsubnet=0.0.0.0/0
> leftrsasigkey=...
> right=%any
> rightsubnet=5.5.5.100/32
> rightid=@laptop
> rightrsasigkey=...
> type=tunnel
> auto=add
>
> Roadbarrior (B) ipsec.conf
>
> nat_traversal=yes
>
> conn roadwarrior-server
> authby=rsasig
> left=%defaultroute
> leftsubnet=5.5.5.100/32
> #leftsourceip=5.5.5.100
> leftid=@laptop
> leftrsasigkey=...
> right=5.5.5.1
> rightsubnet=0.0.0.0/0
> rightrsasigkey=...
> type=tunnel
> auto=start
>
>
> I can ping 5.5.5.100 from server A but the roadwarrior can't reach
> server A. I can surf the web but it doesn't tunnel the traffic at all
> (IP isn't 5.5.5.100). I tried adding leftsourceip=5.5.5.100 in the
> roadwarrior but I can't even reach server A to establish the vpn
> connection such a way!
Your setup is nearly exactly the one I am using on my laptop. The most
important thing is to use leftsourceip= on laptop or things don't work.
I'd also suggest to add 5.5.5.100/32 ip statically to lo interface so
your leftsourceip is always there. Without leftsourceip= this
doesn't work - that's because there is no route to make your
traffic match the tunnel.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Users
mailing list