[Openswan Users] Hub and Spoke issue

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jul 2 09:32:58 EDT 2014 

Did you try using the traceroute (linux) on the openswan boxes at the 
spokes?     Did you try using the traceroute (linux) or tracert (-d)  on 
network clients at the spokes?


Just so I understand

The San Paulo location is the hub, with private network 10.0.0.0/16

Oregon is spoke 1, with private network 192.168.10.0/24
Ireland is spoke 2, with private network 192.168.69.0/24


presumably the traffic is encrypted over vpn  from Oregon to San Paulo, 
decrypted at the hub, then reencrypted for the VPN link to Ireland


My guess is that the openswan system or your gateway/router at one spoke 
does not have routing information for the private network at the other 
spoke.     The right subnets info maybe should have been enough.


Depending on your linux version, ip forwarding may not be enabled by 
default which may be an issue.   (This at least was the case with fedora 
core 14.)


To see if routing is enabled

     #sysctl -a | grep  net.ipv4.ip_forward
or
     #cat /proc/sys/net/ipv4/ip_forward"

Value of 1 means enabled.  This is not the default in FC14


To enable temporarily

     #sysctl -w net.ipv4.ip_forward=1


To enable permantent

     #vi    /etc/sysctl.conf
     #net.ipv4.ip_forward=1

If the line is not specifically enabled will default to 0.






On 07/02/14 08:52, steve wrote:
> I am trying to get a OpenSwan Hub and spoke working.  I feel like this a
> simple problem but I don't know enough Linux to fix it.
> All three servers are running Ubuntu 14.10 and the latest OpenSwan version
>
>   I can ping Spoke1 to Hub & Hub to Spoke 1
>   I can ping Spoke2 to Hub & Hub to Spoke 2
>   I cannot ping Spoke 1 to Spoke 2
> Spoke 1
>   conn Oregon-to-SauPaulo
>           type=tunnel
>           authby=secret
>           left=%defaultroute
>           leftid=54.186.82.78
>           leftnexthop=%defaultroute
>           leftsubnets=172.31.0.0/16,192.168.10.0/24
>           right=54.232.199.31
>           rightsubnets=10.0.0.0/16,192.168.69.0/24
>           ike=aes256-sha
>           esp=aes256-sha1
>           pfs=yes
>           auto=start
>
> Spoke 2
>   conn Ireland-to-SaoPaulo
>           type=tunnel
>           authby=secret
>           left=%defaultroute
>           leftid=54.76.160.103
>           leftnexthop=%defaultroute
>           leftsubnet=192.168.69.0/24
>           right=54.232.199.31
>           rightsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
>           ike=aes256-sha
>           esp=aes256-sha1
>           pfs=yes
>           auto=start
> Hub
>   conn SauPaulo-to-Oregon
>           type=tunnel
>           authby=secret
>           left=%defaultroute
>           leftid=54.232.199.31
>           leftnexthop=%defaultroute
>           leftsubnet=10.0.0.0/16
>           right=54.186.82.78
>           rightsubnets=172.31.0.0/16,192.168.10.0/24
>           ike=aes256-sha
>           esp=aes256-sha1
>           pfs=yes
>           auto=start
>
>   conn SauPaulo-to-Ireland
>           type=tunnel
>           authby=secret
>           left=%defaultroute
>           leftid=54.232.199.31
>           leftnexthop=%defaultroute
>           leftsubnet=10.0.0.0/16
>           right=54.76.160.103
>           rightsubnets=192.168.69.0/24
>           ike=aes256-sha
>           esp=aes256-sha1
>           pfs=yes
>           auto=start
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list