[Openswan Users] Connecting to other machines in subnet

Durwin thecajun at nmia.com
Mon Feb 11 19:59:01 EST 2013

> On 02/11/2013 04:10 PM, Durwin wrote:
> >> What you are talking about is doable, but I need to know a little more about your setup.
> >>
> >> Do you still want an IPsec connection between site A and B with the SSH connection to machine C (which is at site B) inside of it?
> >>
> >> Or do you want the SSH connection to go directly to machine C and not be encapsulated in the IPsec tunnel?
> >>
> >> Is machine B the gateway for site B (and thus for machine C)?  Or does machine C have its own public IP address?
> >
> > Ok, let me give you the detailed setup.  Both sites are behind modems,
> > none of the servers have real ip addresses.  Site A has a hardware VPN,
> > this is connected to VPN server at site B (server B).  I wish to connect
> > to port 80 on machine C (with browser).  Server B does not need 80.  I
> > need to be able to ssh into server B yet still be able to ssh into
> > machine C (from server B is fine).  Did I leave anything out?  While I
> > am at it.  I also need iptable rules which allow vpn to work.  I've been
> > running without iptables.
> Okay, for a computer in site A to connect to server C, you'll need to set up the connection between server A and B to support the subnets.
> Something like:
> conn BetweenSiteAandSiteB
>       type=tunnel
>       authby=secret
>       pfs=yes
>       auto=start
>       compress=yes
>       keyingtries=3
>       left=a.a.a.a
>       right=b.b.b.b
>       rightsubnet=c.c.c.0/24
>       rightsourceip=c.c.c.1
> Obviously server B will need IP forwarding enabled and needs to be the gateway for site B -> site A.  You never really said whether this was the case or not, so I just assumed.

Here is my config.  My right and left are opposite of yours but it looks
the same other wise.

conn siteB
    right=public ip of hardware vpn

I configured machine C to use machine B as gateway.  I confirmed
forwarding is on (server B).  But I can't connect to machine C from site
A.  What else am I missing?

Thank you,


More information about the Users mailing list