[Openswan Users] Problems with vlan

Heino Niemann Heino.Niemann at hmmh.de
Tue Oct 22 14:42:28 UTC 2013 

Hi,

we had some problems with our openswan setup.
Installed in openswan-2.6.32-21.el6  on centos 6.4

Topology

Tunnel1 no vlan 192.168.1.0 eth0 - Firewall1 eth1 - internet - Firewall2  172.16.1.0
Tunnel2 vlan5 192.168.2.0 eth0.5 - Firewall1 eth1 - internet - Firewall2  172.16.1.0

Both Tunnels working right to left but only Tunnel1 works left to right.
Packges from vlan5 comming in at eth0.5 but not getting send throug the tunnel. All packges from vlan5 going directly out to the internet at eth1
All packages comming in at eth0 (no vlan) getting send throug the tunnel as expected.


config setup
     protostack=netkey
     nat_traversal=yes
     oe=off

conn office
        pfs=yes
        auth=esp
        authby=secret
        auto=start
        esp=aes256-sha1;modp1536
        ikelifetime=1800s
        keyingtries=10
        keylife=28800s
        left=80.80.80.1
        leftid=80.80.80.1

        leftsubnets={ 192.168.1.0/24 192.168.2.0/24 }
       right=90.90.90.1
        rightid=90.90.90.1
        Rightsubnet=172.16.1.0/24
        ike=aes256-sha1;modp1536
        keyexchange=ike
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        compress=yes

ip xfrm pol

src 192.168.2.0/24 dst 172.16.1.0/24
dir out priority 2187 ptype main
tmpl src 80.80.80.1 dst 90.90.90.1
proto esp reqid 16441 mode tunne

src 172.16.1.0/24 dst 192.168.2.0/24
dir fwd priority 2187 ptype main
tmpl src 90.90.90.1dst 80.80.80.1
proto esp reqid 16441 mode tunnel

src 172.16.1.0/24 dst 192.168.2.0/24
dir in priority 2187 ptype main
tmpl src 90.90.90.1 dst 80.80.80.1
proto esp reqid 16441 mode tunne

ip xfrm stat

src 90.90.90.1 dst 80.80.80.1
        proto esp spi 0xfe7349c5 reqid 16441 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) dfsdfg
        enc cbc(aes) dsfgsdfgsdfg

src 80.80.80.1 dst 90.90.90.1
        proto esp spi 0xc7294a5c reqid 16441 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) sdfgsdfgsdfg
        enc cbc(aes) sdfgdsfgsdfg

src 90.90.90.1 dst 80.80.80.1
        proto esp spi 0xc6befbad reqid 16441 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) sdfgdsfgsdfg
        enc cbc(aes) sdfsdfgsdfg

src 80.80.80.1 dst 90.90.90.1
        proto esp spi 0xc7294a58 reqid 16441 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) sdfgsdfsdfg
        enc cbc(aes) sdfdsfgsdfg

netstat-nat -Nn
Proto NATed Address                  NAT-host Address               Destination Address            State
icmp  192.168.1.2                    80.80.80.1                     172.16.1.33                    UNREPLIED


Best Regards
Heino
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131022/437fbb77/attachment-0001.html>

More information about the Users mailing list