[Openswan Users] Public subnet extrusion

Tuomo Soini tis at foobar.fi
Thu Mar 1 02:25:09 EST 2012


On Fri, 24 Feb 2012 01:17:39 +0100
Niccolò Belli <darkbasic at linuxsystems.it> wrote:

> Hi,
> 
> Host A is a server with a 5.5.5.0/24 public subnet, host B is a 
> roadwarrior (dynamic ip, nat).
> 
> I want to give a public ip to the roadwarrior (let's say 5.5.5.100).
> The roadwarrior's internal ip is in the 192.168.20.0/24 range (let's
> say 192.168.20.150).
> 
> Server (A) ipsec.conf:
> 
> nat_traversal=yes
> 
> conn server-roadwarrior
> 	authby=rsasig
> 	left=5.5.5.1
> 	leftsubnet=0.0.0.0/0
> 	leftrsasigkey=...
> 	right=%any
> 	rightsubnet=5.5.5.100/32
> 	rightid=@laptop
> 	rightrsasigkey=...
> 	type=tunnel
> 	auto=add
> 
> Roadbarrior (B) ipsec.conf
> 
> nat_traversal=yes
> 
> conn roadwarrior-server
> 	authby=rsasig
> 	left=%defaultroute
> 	leftsubnet=5.5.5.100/32
> 	#leftsourceip=5.5.5.100
> 	leftid=@laptop
> 	leftrsasigkey=...
> 	right=5.5.5.1
> 	rightsubnet=0.0.0.0/0
> 	rightrsasigkey=...
> 	type=tunnel
> 	auto=start
> 
> 
> I can ping 5.5.5.100 from server A but the roadwarrior can't reach 
> server A. I can surf the web but it doesn't tunnel the traffic at all 
> (IP isn't 5.5.5.100). I tried adding leftsourceip=5.5.5.100 in the 
> roadwarrior but I can't even reach server A to establish the vpn 
> connection such a way!

Your setup is nearly exactly the one I am using on my laptop. The most
important thing is to use leftsourceip= on laptop or things don't work.

I'd also suggest to add 5.5.5.100/32 ip statically to lo interface so
your leftsourceip is always there. Without leftsourceip= this
doesn't work - that's because there is no route to make your
traffic match the tunnel.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Users mailing list