Link to home
Start Free TrialLog in
Avatar of beapit
beapit

asked on

OpenSwan site to site vpn routing issue

Hello experts,

I have two linux servers with openswan installed. One is in amazon (we'll call it "aws") and the other one is in the corporate network (we'll call it "corp"). Aws has a private ip with a mapped public IP. Corp is in a DMZ and has a public IP (no NAT'ing).

OpenSwan is able to establish a connection between the two servers. From aws, I can ping all the way through the tunnel to private subnets. But, from corp I can not ping back to aws. I get "Destination Host Unreachable".

I've seen several openswan tutorials have iptables commands. Like this one, http://www.systmbx.com/tutorials/tools-utilities/openswan/328-configuring-site-to-site-ipsec-vpn-with-openswan

I don't know what those commands are doing and for my situation, I don't know if I should be adding them to aws or corp, or both.


This is the corp config
config setup
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nat_traversal=yes
        protostack=netkey
        oe=no

conn vpn_to_aws
        type=tunnel
        authby=secret
        auth=esp
        pfs=no
        rekey=yes
        auto=start

        leftid=168.x.x.x
        left=168.x.x.x
        leftsubnets={[various subnets]}
        leftsourceip=168.x.x.x

        rightid=10.x.x.5
        right=50.x.x.x # untrust interface
        rightsubnets={[various subnets]}

Open in new window


And the config for aws
config setup
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.111.0.0/16
        nat_traversal=yes
        protostack=netkey
        oe=no
        nhelpers=0

conn vpn_to_corp
    type=tunnel
    authby=secret
    auth=esp
    pfs=no
    rekey=yes
    auto=start

    leftid=10.x.x.5
    left=50.x.x.x
    leftsubnets={[various subnets]}
    leftsourceip=10.x.x.5

    rightid=168.x.x.x
    right=168.x.x.x
    rightsubnets={[various subnets]}

Open in new window


Thank you
Avatar of Steven Vona
Steven Vona
Flag of United States of America image

Here is a good how-to explaining openswan point to point VPN.

http://www.putorius.net/2012/08/creating-end-to-end-ipsec-tunnel.html
Avatar of beapit
beapit

ASKER

Thanks but I've already got the tunnel initiating. I don't see anything in that tutorial that isn't already configured in what I posted.
ASKER CERTIFIED SOLUTION
Avatar of beapit
beapit

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of beapit

ASKER

My solution is the right answer and actually explains what the problem and solution is.