[Openswan Users] Gateway to gateway without router in one endpoint?

Jose M soloninguno at hotmail.com
Sat Jun 8 15:34:21 UTC 2013

THanks for your response Bob, my response between yours.

> From: bob at computerisms.ca
> To: users at lists.openswan.org
> Date: Fri, 7 Jun 2013 15:21:17 -0700
> Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?
> > I need to create an ipsec vpn between an internal network behind a
> > cisco router and an ubuntu server in the outside that is directly
> > connected to the web (no router here).
> > 
> > Right now I've test openswan to create a client to gateway vpn an
> > works as expected. Unforunately with this configuration I don't have
> > two way traffic, the client sees the internal network, but the network
> > can't see the client.
> As I understand the situation the ubuntu server is the client and it
> needs split tunnelling (can access web and vpn at same time).  Also as I
> understand, you have the tunnel up and working because traffic is
> flowing, just not in both directions.  And the cisco router is acting as
> your vpn server.

That's right, it's only flowing from client to vpn server, not the other way round.

> > My knowledge of networks isn't the best, so I need to ask, is it
> > possible to create some kind of virtual nics in ubuntu client server
> > to simulate a gateway and an internal network (with only one machine)
> > in this endpoint, so the machines in the internal network can see this
> > client?
> I am sure you can, but I fail to see why it would help.  If you have
> traffic flowing from client to net, then most likely traffic is not
> flowing in the opposite direction because of a firewall or routing rule
> somewhere.  For example, if the tunnel's IP on the client is in the same
> subnet as the LAN you are connecting too, your cisco router won't have a
> route leaving the network because it already has a route to that
> network.  Conversely iptables on the client may be configured to not
> allow any packets from a foreign LAN.
> This is of course a generalization that in my experience is not always
> true and may not apply to cisco routers, but almost always when traffic
> works in one direction and not the other, the problem is firewall rules
> or routing tables.  A tcpdump or equivalent on the internal and external
> interfaces of the router should show you if this is true in your case or
> not... 

Right now I think the traffic doesn't flow from vpn server to client simply because i configure a "client to gateway" in the cisco router (I send my configuration yesterday, don't know if the message arrives in the user list). And I configure a "client to gateway" and not a "gateway to gateway" cause I don't have a real network in the client. 
That's why I ask if a can simulate a network with virtual nics in the client, to "cheat" the cisco router and connect to the client as it is a gateway too, and make the traffic flow in both directions. But maybe I'm asking silly things, I don't know that.

Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130608/8791be98/attachment.html>

More information about the Users mailing list