[Openswan Users] Passthrough woes, 0.0.0.0/0 causes loss of connectivity

[Vikki P]

Hey guys,

I'm new to OpenSwan and trying to put together the following setup.  If I SSH into ServerA and type ping www.google.se, I want all my traffic to go /through/ the IPsec tunnel to ServerB and out to the Internet.  In other words, I want my traffic from ServerA to appear to come from ServerB.

I'm running into a problem though.  As soon as I add rightsubnet=0.0.0.0/0 to the ServerA.conf, I lose SSH connectivity from HOME to ServerA.  I need another set of eyes.  Is there anything wrong with my configuration?  Can anyone make a suggestion on how to route all outgoing Internet-bound traffic from ServerA through ServerB via IPsec, while still maintaining SSH connectivity to ServerA from HOME?  Any assistance is much appreciated! :)

HOME --- (SSH) ---> ServerA --- (IPSEC) ---> ServerB ---> Internet

HOME External: 9.9.9.9

ServerA Internal: 192.168.1.10
ServerA External: 1.1.1.1

ServerB Internal: 192.168.2.10
ServerB External: 2.2.2.2

-----ServerA.conf------
conn ipsec
auto=start
type=tunnel
left=192.168.1.10
leftid=1.1.1.1
leftsubnet=192.168.1.10/32
leftrsasigkey=00000key1...
right=2.2.2.2
rightsubnet=0.0.0.0/0
rightnexthop=192.168.2.10
rightrsasigkey=00000key2...
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048
pfs=yes

conn netkey-passthrough
auto=route
left=192.168.1.10
leftid=1.1.1.1
leftsubnet=192.168.1.10/32
right=9.9.9.9
rightsubnet=9.9.9.9/32
authby=never
type=passthrough


-----ServerB.conf------
conn ipsec
auto=start
type=tunnel
left=1.1.1.1
leftsubnet=192.168.1.10/32
leftrsasigkey=00000key1...
rightid=2.2.2.2
rightsubnet=0.0.0.0/0
rightrsasigkey=00000key2...
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048
pfs=yes


Tkx,
Vikki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121015/abf8ae52/attachment-0001.html>