[Openswan Users] two tunnels made one works

Barry R Cisna brcisna at gmail.com
Sun Oct 21 12:05:25 EDT 2012 

Hello  All,

OS : Centos 6.3  32-bit

I have an Centos 6.3 machine with the latest openswan 2.6.32 that makes
a connection to two of my works buildings that both run pfSense routers.
I previously had both tunnels to work very easily in my previous OLD
server CentOS 5.x.

Both tunnels comes up fine and I can ping from openswan/CentOS  to the
wcbiggs remote lan.
I can NOT ping from the openswan/CentOS to the wcstrong connection lan.
I can ping both lans ips from the pfSense router to the openswan/CentOS
server fine.

Worth noting:
1. I did have to add in the wc235biggs conn the rightsourceip= entry to
make the ping to remote lan  work.The tunnel did connect fine though
without this entry. In the previous server (CentOS 5.x) I did not even
have to have this entry.
2. Both old and new server CentOS 6.3 are linux terminal servers so this
server does have two nics,eth0 & eth1.
3. i have Wiresharked quite a bit on each nics of the server and found
that the ICMP request are diffinetly different between wc235biggs and
wc235strong conn's. I haven't been able to determine why this is either.
4. I also added the rightsourceip entry to the wcstrong conn to see if
this possibly would make the two endpoints pingable,but this didnt help
any.
5. for completeness I am using PSK 


ipsec.conf here:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        forwardcontrol=no
        nat_traversal=no
        oe=off
        protostack=netkey
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
#include /etc/ipsec.d/*.conf
conn wc235biggs
        authby=secret
        auto=add
        ikelifetime=86400s
        keylife=28800s
        left=<localwanip>
        leftid=<localwanip>
        leftrsasigkey=0sAQOj1CVLXJGgcmdPDBzg72nK
+LPoJrwkm7NW2eqm95Dv/obHhPijXXAktRhakPTgcySS4DrTtj84ucYVehhx1mgGt
+EerbEiJj8saq0ws52o8N3DORZXvPGc8dT5x
+QVlnorQknFevuj5hZ0vGC5mIhrFxrrcQ/ZX4hqdefVgCes4rfSIvlCEiIyfxp7Wgh
+6hWNzENQO3IO1aZrlC8xz+SMU98KTna/feBGMcrbyHSrDdTz139O9Q/KproCPS/RY
+RIeTkwl1GcOqcCDrq0DeJmrLkfWf3tQNzrdK3cwHmyM9zgB6JyKQavE0Uo7H
+xcLIiTHnUiwIqNTs/Luk/Ov4Q/tlEY9g1qr2dqO1iQ/q6QxKz
        leftsubnet=172.31.100.0/24
   leftsourceip=172.31.100.2
        right=<remotewanip>
        rightid=<remotewanip>
        rightsubnet=172.28.0.0/16
conn wc235strong
        authby=secret
        auto=add
        ikelifetime=86400s
        keylife=28800s
        left=<localwanip>
        leftid=<localwanip>
        leftrsasigkey=0sAQOj1CVLXJGgcmdPDBzg72nK
+LPoJrwkm7NW2eqm95Dv/obHhPijXXAktRhakPTgcySS4DrTtj84ucYVehhx1mgGt
+EerbEiJj8saq0ws52o8N3DORZXvPGc8dT5x
+QVlnorQknFevuj5hZ0vGC5mIhrFxrrcQ/ZX4hqdefVgCes4rfSIvlCEiIyfxp7Wgh
+6hWNzENQO3IO1aZrlC8xz+SMU98KTna/feBGMcrbyHSrDdTz139O9Q/KproCPS/RY
+RIeTkwl1GcOqcCDrq0DeJmrLkfWf3tQNzrdK3cwHmyM9zgB6JyKQavE0Uo7H
+xcLIiTHnUiwIqNTs/Luk/Ov4Q/tlEY9g1qr2dqO1iQ/q6QxKz
        leftsubnet=172.31.100.0/24
   leftsourceip=172.31.100.2
        right=<remotewanip>
        rightid=<remotewanip>
        rightsubnet=192.168.1.0/24
        rightsourceip=192.168.1.1

# end of ipsec.conf

Thank You,
Barry

More information about the Users mailing list