[Openswan Users] Terminating VPN on the NAT gateway
Nick Howitt
n1ck.h0w1tt at gmail.com
Tue Jun 11 13:49:15 UTC 2013
Shouldn't the left/rightsubnets be in braces {} and not quotes ""? And
can you, in any case, cheat and just specify a single subnet
192.168.100.0/23?
On 2013-06-11 13:28, Binand Sethumadhavan wrote:
> I have an Openswan VPN between locations A and B.
>
> At A, Openswan is running on a CentOS 6 box behind a NAT gateway (called AA).
>
> At B, Openswan is running on a CentOS 6 box which is also the NAT
> gateway (called BB).
>
> Most things are fine with the tunnel, as below:
>
> - Every machine in the LAN of AA can reach every machine in the LAN behind BB.
> - Every machine in the LAN behind BB can reach every machine in the LAN of AA.
> - AA itself can reach every machine in the LAN behind BB.
> - AA can reach BB directly too.
> - BB cannot reach any machine in the LAN of AA
> - BB cannot reach AA directly either.
>
> When I do a tcpdump on BB, I can see that packets for AA go out with
> the WAN IP of BB as source, onto the public Internet.
>
> Config on AA:
>
> conn BB
> left=10.13.16.217
> leftid=10.13.16.217
> leftsourceip=10.13.16.217
> leftsubnet=10.13.16.0/23
> right=a.b.c.d
> rightid=a.b.c.d
> rightsourceip=192.168.100.1
> rightsubnets="192.168.100.0/24 192.168.101.0/24"
> type=tunnel
> authby=secret
> auto=start
> ike=aes-sha1;modp1024
> phase2=esp
> phase2alg=aes-sha1;modp1024
> aggrmode=no
>
> Config on BB:
>
> conn AA
> left=a.b.c.d
> leftid=a.b.c.d
> leftnexthop=a.b.c.d-1
> leftsourceip=192.168.100.1
> leftsubnets="192.168.100.0/24 192.168.101.0/24"
> right=x.y.z.t # This IP has a static mapping to 10.13.16.217
> on the edge firewall
> rightid=10.13.16.217
> rightsourceip=10.13.16.217
> rightsubnet=10.13.16.0/23
> type=tunnel
> authby=secret
> auto=start
> ike=aes-sha1;modp1024
> phase2=esp
> phase2alg=aes-sha1;modp1024
> aggrmode=no
>
> I can see in tcpdump that the source IP of packets from BB endpoint to
> AA endpoint is set to the WAN-side IP of BB. Why is this so?
>
> Binand
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]
Links:
------
[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130611/25574a33/attachment-0001.html>
More information about the Users
mailing list