[Openswan Users] Terminating VPN on the NAT gateway

Binand Sethumadhavan binand at gmx.net
Tue Jun 11 15:42:13 UTC 2013


Quotes work generally and I think it is in the documentation too
(otherwise can't think why I'd have used them). Will try with braces,
but I don't think that is the problem here - somehow locally
originating traffic is not going through the tunnel (despite setting
leftsourceip).

I'd like to keep those two /24's separate, as they serve difference
purposes internally. One is the LAN and the other is the DHCP pool for
a set of roadwarriors (OpenVPN).

Binand

On 11 June 2013 19:19, Nick Howitt <n1ck.h0w1tt at gmail.com> wrote:
> Shouldn't the left/rightsubnets be in braces {} and not quotes ""? And can
> you, in any case, cheat and just specify a single subnet 192.168.100.0/23?
>
> On 2013-06-11 13:28, Binand Sethumadhavan wrote:
>
> I have an Openswan VPN between locations A and B.
>
> At A, Openswan is running on a CentOS 6 box behind a NAT gateway (called
> AA).
>
> At B, Openswan is running on a CentOS 6 box which is also the NAT
> gateway (called BB).
>
> Most things are fine with the tunnel, as below:
>
> - Every machine in the LAN of AA can reach every machine in the LAN behind
> BB.
> - Every machine in the LAN behind BB can reach every machine in the LAN of
> AA.
> - AA itself can reach every machine in the LAN behind BB.
> - AA can reach BB directly too.
> - BB cannot reach any machine in the LAN of AA
> - BB cannot reach AA directly either.
>
> When I do a tcpdump on BB, I can see that packets for AA go out with
> the WAN IP of BB as source, onto the public Internet.
>
> Config on AA:
>
> conn BB
>         left=10.13.16.217
>         leftid=10.13.16.217
>         leftsourceip=10.13.16.217
>         leftsubnet=10.13.16.0/23
>         right=a.b.c.d
>         rightid=a.b.c.d
>         rightsourceip=192.168.100.1
>         rightsubnets="192.168.100.0/24 192.168.101.0/24"
>         type=tunnel
>         authby=secret
>         auto=start
>         ike=aes-sha1;modp1024
>         phase2=esp
>         phase2alg=aes-sha1;modp1024
>         aggrmode=no
>
> Config on BB:
>
> conn AA
>         left=a.b.c.d
>         leftid=a.b.c.d
>         leftnexthop=a.b.c.d-1
>         leftsourceip=192.168.100.1
>         leftsubnets="192.168.100.0/24 192.168.101.0/24"
>         right=x.y.z.t # This IP has a static mapping to 10.13.16.217
> on the edge firewall
>         rightid=10.13.16.217
>         rightsourceip=10.13.16.217
>         rightsubnet=10.13.16.0/23
>         type=tunnel
>         authby=secret
>         auto=start
>         ike=aes-sha1;modp1024
>         phase2=esp
>         phase2alg=aes-sha1;modp1024
>         aggrmode=no
>
> I can see in tcpdump that the source IP of packets from BB endpoint to
> AA endpoint is set to the WAN-side IP of BB. Why is this so?
>
> Binand
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>


More information about the Users mailing list