troubleshooting Question

OpenSwan site to site vpn routing issue

Avatar of beapit
beapit asked on
Linux NetworkingVPNNetworking ProtocolsAWS
4 Comments1 Solution4239 ViewsLast Modified:
Hello experts,

I have two linux servers with openswan installed. One is in amazon (we'll call it "aws") and the other one is in the corporate network (we'll call it "corp"). Aws has a private ip with a mapped public IP. Corp is in a DMZ and has a public IP (no NAT'ing).

OpenSwan is able to establish a connection between the two servers. From aws, I can ping all the way through the tunnel to private subnets. But, from corp I can not ping back to aws. I get "Destination Host Unreachable".

I've seen several openswan tutorials have iptables commands. Like this one, http://www.systmbx.com/tutorials/tools-utilities/openswan/328-configuring-site-to-site-ipsec-vpn-with-openswan

I don't know what those commands are doing and for my situation, I don't know if I should be adding them to aws or corp, or both.


This is the corp config
config setup
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nat_traversal=yes
        protostack=netkey
        oe=no

conn vpn_to_aws
        type=tunnel
        authby=secret
        auth=esp
        pfs=no
        rekey=yes
        auto=start

        leftid=168.x.x.x
        left=168.x.x.x
        leftsubnets={[various subnets]}
        leftsourceip=168.x.x.x

        rightid=10.x.x.5
        right=50.x.x.x # untrust interface
        rightsubnets={[various subnets]}

And the config for aws
config setup
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.111.0.0/16
        nat_traversal=yes
        protostack=netkey
        oe=no
        nhelpers=0

conn vpn_to_corp
    type=tunnel
    authby=secret
    auth=esp
    pfs=no
    rekey=yes
    auto=start

    leftid=10.x.x.5
    left=50.x.x.x
    leftsubnets={[various subnets]}
    leftsourceip=10.x.x.5

    rightid=168.x.x.x
    right=168.x.x.x
    rightsubnets={[various subnets]}

Thank you
ASKER CERTIFIED SOLUTION
beapit

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros