[Openswan Users] Move to Inbox More 1 of 65 [openswan users] I have some problem about ping from pc1 to pc2 in vpn site2site tunnel mode.thanks

xue tao xuetao325 at gmail.com
Mon Jun 20 08:48:06 EDT 2016 

Hi,
 my network configurationis :

 private subnet 192.168.1.0/24
private subnet 192.168.5.0/24
          PC1  ------    ONT1       <========IPSEC TUNNEL=========> ONT2
------- PC2
                            135.251.199.83
                   135.251.205.188


i am setting up a ipsec tunnel on ONT1 and ONT2, and this tunnel seems had
setup, on ONT1 i can saw:

[root at AONT: admin]# ipsec --version
Linux Openswan U2.6.38/K3.4.11-rt19 (netkey)

[root at AONT: admin]# ipsec setup status
IPsec running  - pluto pid: 6676
pluto pid 6676
1 tunnels up
some eroutes exist

[root at AONT: admin]# ip xfrm policy
src 192.168.1.0/24 dst 192.168.5.0/24 proto udp sport 1701 dport 1701
    dir out priority 2344
    tmpl src 135.251.199.83 dst 135.251.205.188
        proto esp reqid 16385 mode tunnel
src 192.168.5.0/24 dst 192.168.1.0/24 proto udp sport 1701 dport 1701
    dir fwd priority 2344
    tmpl src 135.251.205.188 dst 135.251.199.83
        proto esp reqid 16385 mode tunnel
src 192.168.5.0/24 dst 192.168.1.0/24 proto udp sport 1701 dport 1701
    dir in priority 2344
    tmpl src 135.251.205.188 dst 135.251.199.83
        proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
    socket out priority 0

and here is my ipsec.conf
version    2.0    # conforms to second version of ipsec.conf specification
config setup
    nat_traversal=yes
    oe=off
    protostack=netkey
    plutostderrlog=/tmp/vpnerr.log
    plutoopts="--interface=eth4"
conn L2TP-PSK
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    dpddelay=30
    dpdtimeout=120
    dpdaction=Restart
    rekey=yes
    ikelifetime=8h
    keylife=1h
    type=tunnel
    left=135.251.199.83
    leftnexthop=%defaultroute
    leftprotoport=17/1701
    leftsubnet=192.168.1.0/24
    right=135.251.205.188
    rightprotoport=17/1701
    rightsubnet=192.168.5.0/24

Then I can not access to 192.168.5.x, and i follow some documents from
internet adding iptables likes:
iptables -t nat -A POSTROUTING -s site-A-private-subnet -d
site-B-private-subnet -j SNAT --to site-A-Public-IP

but it does not works. when i add route from my workmates:
        route add -net 192.168.5.0/24 ppp0
I can ping 192.168.5.x ,but the tcpdump data on ONT2 was not ESP, only ICMP
packets. So this is not the correct ways.

Should I add other iptables or route to allow PC1 ping PC2?
Any assistance will be greatly appreciated!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160620/a8c070b8/attachment.html>

More information about the Users mailing list