[Openswan Users] Hub and Spoke issue

Nick Howitt nick at howitts.co.uk
Wed Jul 2 12:29:33 EDT 2014 

SauPaulo-to-Oregon rightsubnets is missing 192.168.10.0/24

On 2014-07-02 17:14, Steven Tye wrote:
> OpenVPN has this setting
> 
> Routing
> 
>  Should VPN clients have access to private subnets (non-public
> networks on the server side)?
> 
>  NO No
> 
>  NO Yes, using NAT
> 
> CHECK Yes, using routing (advanced)
> 
> Specify the private subnets to which all clients should be given
> access (as 'network/netmask_bits', one per line)
> 
> 172.31.0.0/16
> 
> 10.0.0.0/16
> 
> 192.168.69.0/24
> 
> 192.168.10.0/24
> 
> Cleaned up the ipsec.conf as you suggested:
> 
> conn SauPaulo-to-Oregon
> 
>  type=tunnel
> 
>  authby=secret
> 
>  left=%defaultroute
> 
>  leftid=54.232.199.31
> 
>  leftnexthop=%defaultroute
> 
>  leftsubnets=10.0.0.0/16,192.168.69.0/24
> 
>  right=54.186.82.78
> 
>  rightsubnets=172.31.0.0/16
> 
>  ike=aes256-sha
> 
>  esp=aes256-sha1
> 
>  pfs=yes
> 
>  auto=start
> 
> conn SauPaulo-to-Ireland
> 
>  type=tunnel
> 
>  authby=secret
> 
>  left=%defaultroute
> 
>  leftid=54.232.199.31
> 
>  leftnexthop=%defaultroute
> 
>  leftsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
> 
>  right=54.76.160.103
> 
>  rightsubnets=192.168.69.0/24
> 
>  ike=aes256-sha
> 
>  esp=aes256-sha1
> 
>  pfs=yes
> 
>  auto=start
> 
> Now I cannot ping from client to/from hub.
> 
> Oregon
> 
> conn Oregon-to-SauPaulo
> 
>  type=tunnel
> 
>  authby=secret
> 
>  left=%defaultroute
> 
>  leftid=54.186.82.78
> 
>  leftnexthop=%defaultroute
> 
>  leftsubnets=172.31.0.0/16,192.168.10.0/24
> 
>  right=54.232.199.31
> 
>  rightsubnets=10.0.0.0/16,192.168.69.0/24
> 
>  ike=aes256-sha
> 
>  esp=aes256-sha1
> 
>  pfs=yes
> 
>  auto=start
> 
> Ireland
> 
> conn Ireland-to-SaoPaulo
> 
>  type=tunnel
> 
>  authby=secret
> 
>  left=%defaultroute
> 
>  leftid=54.76.160.103
> 
>  leftnexthop=%defaultroute
> 
>  leftsubnet=192.168.69.0/24
> 
>  right=54.232.199.31
> 
>  rightsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
> 
>  ike=aes256-sha
> 
>  esp=aes256-sha1
> 
>  pfs=yes
> 
>  auto=start
> 
> -----Original Message-----
> From: Nick Howitt [mailto:nick at howitts.co.uk]
> Sent: Wednesday, July 2, 2014 12:03 PM
> To: steve
> Cc: users at lists.openswan.org
> Subject: Re: [Openswan Users] Hub and Spoke issue
> 
> In OpenVPN are you also pushing a route to 192.168.69.0/24?
> 
> Something also looks wrong in your conns. You should have:
> 
> conn SauPaulo-to-Oregon
> 
>  leftsubnets=SauPaulo's_subnets, Ireland's_subnets
> 
>  rightsubnets=Oregon's_subnets
> 
> conn SauPaulo-to-Ireland
> 
>  leftsubnets=SauPaulo's_subnets, Oregon's_subnets
> 
>  rightsubnets=Ireland's_subnets
> 
> You appear to have 192.168.10.0/24 in both Ireland and Oregon
> 
> Nick
> 
> On 2014-07-02 16:39, steve wrote:
> 
>> Nick, awesome. I am almost there.
> 
>> I am able to now ping from spoke to spoke. However, I am trying to
> 
>> ping from my client at 192.168.10.0/24 through to Ireland,
> 
>> 192.168.69.0/24 and its fails. Should the 192.168.10.0/24 network be
> 
> 
>> added anywhere else?
> 
>> 
> 
>> Here is my new Hub IPsec.conf
> 
>> Hub
> 
>> conn SauPaulo-to-Oregon
> 
>> type=tunnel
> 
>> authby=secret
> 
>> left=%defaultroute
> 
>> leftid=54.232.199.31
> 
>> leftnexthop=%defaultroute
> 
>> leftsubnets=10.0.0.0/16,192.168.69.0/24
> 
>> right=54.186.82.78
> 
>> rightsubnets=172.31.0.0/16,192.168.10.0/24,192.168.69.0/24
> 
>> ike=aes256-sha
> 
>> esp=aes256-sha1
> 
>> pfs=yes
> 
>> auto=start
> 
>> 
> 
>> conn SauPaulo-to-Ireland
> 
>> type=tunnel
> 
>> authby=secret
> 
>> left=%defaultroute
> 
>> leftid=54.232.199.31
> 
>> leftnexthop=%defaultroute
> 
>> leftsubnets=10.0.0.0/16,172.31.0.0/16
> 
>> right=54.76.160.103
> 
>> rightsubnets=172.31.0.0/16,192.168.10.0/24,192.168.69.0/24
> 
>> ike=aes256-sha
> 
>> esp=aes256-sha1
> 
>> pfs=yes
> 
>> auto=start
> 
>> 
> 
>> _______________________________________________
> 
>> Users at lists.openswan.org
> 
>> https://lists.openswan.org/mailman/listinfo/users [1]
> 
>> Micropayments:
> 
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> 
>> Building and Integrating Virtual Private Networks with Openswan:
> 
>> 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
> [3]
> 
>> 55
> 
> Links:
> ------
> [1] https://lists.openswan.org/mailman/listinfo/users
> [2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> [3] 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831

More information about the Users mailing list