[Openswan Users] Trouble routing ASA VPN-connected subnet through Cisco 1900 <-> openswan tunnel

Wed Oct 1 11:30:49 EDT 2014

Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.

From: Jon Slusher <jonslusher at gmail.com>
Subject: Trouble routing ASA VPN-connected subnet through Cisco 1900 <-> openswan tunnel
Date: September 16, 2014 at 1:00:31 PM GMT-4
To: users at lists.openswan.org

I’ll try to describe this properly. I’ve been looking for answers to this on the list already, but I’m not having any luck. I have a “main" network into which there is a VPN tunnel provided by an ASA for remote access. Within that main network, there is a Cisco 1900 gateway that connects to multiple tunnels. Two of them are AWS VPCs and one of them has an openswan server on the other side. I can get through the tunnel to the openswan server from within the main subnet, I can also get to the VPCs from the ASA when connected to the VPN, but I can’t get to the openswan gateway from the ASA. I’ve been able to pinpoint the problem at the tunnel itself, but I’m not sure which side is to blame. I suspect the openswan side because the VPC tunnels work fine from the ASA.

I can get from the main to the openswan, but I can’t get from the ASA to the openswan. 

The ASA can however get across the tunnels to the VPC networks that exist on the same router.

Here is what I hope is enough info to get this started. Thanks in advance for the help.

--------------------------------------------------------
ASA - 192.168.88.0/24

ASA gateway - 192.168.21.10

main network - 192.168.20.0/22

Cisco 1900 gateway - 192.168.21.25

openswan network - 192.168.100.0/24

openswan gateway - 192.168.100.1

Here are the relevant parts of the configs:
---------------------------
openswan:

conn main
  authby=secret
  auto=start
  type=tunnel
  left=xxx.xxx.xx.xx
  leftid=xxx.xx.xxx.xx
  leftsubnet=192.168.100.0/24
  leftnexthop=%defaultroute
  right=xxx.xx.xxx.xx
  rightsubnets={192.168.20.0/22 192.168.88.0/24}
  rightnexthop=%defaultroute
  phase2=esp
  phase2alg=aes256-sha1;modp2048
  forceencaps=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart
  pfs=yes

—————————————
Cisco 1900:

show ip route:
C        192.168.88.0/24 is directly connected, GigabitEthernet0/1
S        192.168.100.0/24 is directly connected, Tunnel5

show run:
ip route 192.168.20.0 255.255.252.0 192.168.21.5
ip route 192.168.88.0 255.255.255.0 192.168.21.10
ip route 192.168.100.0 255.255.255.0 Tunnel3

————————————————————
ASA VPN:

access-list Tunnel3 standard permit 192.168.100.0 255.255.255.0
ip local pool vpn_dhcp 192.168.88.5-192.168.88.254 mask 255.255.255.0
route inside 192.168.21.0 255.255.255.0 192.168.21.5 1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141001/2d3b140e/attachment-0001.html>