On Fri, Aug 29, 2008 at 1:11 PM, Ben Francom wrote: > Greetings, > I'm gradually replacing our aging BorderManager VPN's w/ Openswan and > Cisco. I'm trying to overcome some routing issues with the new > configuration. Here is the setup: > > > 10.10.90.0/24===aa.bb.cc.187---aa.bb.cc.190...dd.ee.ff.33---dd.ee.ff.46===192.168.1.0/24 > > Left Network [Linux OpenSwan] Site-to-Site VPN Right Network > [Cisco ASA 5505] > Public VPN IP: aa.bb.cc.187 <--> Public VPN IP: > dd.ee.ff.46 > Internal Network: 10.10.90.0/24 <--> Internal Network: > 192.168.1.0/24 > Openswan Internal IP: 10.10.90.3 <--> Cisco Internal IP: > 192.168.1.1 > > The tunnel is up, and: > I can ping from Cisco LAN (192.168.1.x) to Openswan server (10.10.90.3) > I can NOT ping from Cisco LAN to Openswan LAN > > I can NOT ping from Openswan to Cisco (Anything) > > Openswan route: > Destination Gateway Genmask Flags Metric Ref Use > Iface > aa.bb.cc.184 * 255.255.255.248 U 0 0 0 > eth1 > 192.168.1.0 * 255.255.255.0 U 0 0 0 > eth1 > 10.10.90.0 * 255.255.255.0 U 0 0 0 > eth0 > 10.10.90.0 * 255.255.255.0 U 0 0 0 > eth1 > link-local * 255.255.0.0 U 0 0 0 > eth0 > loopback * 255.0.0.0 U 0 0 0 lo > default aa.bb.cc.190 0.0.0.0 UG 0 0 0 > eth1 > > What other routes might I need on the Linux side? The goal is to have > both LAN's communicate using any protocol. > > I can post the Cisco config if needed. > Thanks in advance for any advice. > > -Ben > Couple questions: 1) Why are there 2 routes for 10.10.90.0/24 going to 2 different interfaces? 2) What interface is the tunnel bound to on the linux side? 3) Is this openswan box alse the default gateway for the 10.10.90/24 network? and the Cisco? It's been a while since I used a Cisco device to setup a vpn as I've been using Junipers ScreenOS (awesome device BTW, much much better than a pix), so I can't quite recall how to do it off the top of my head. Personally, I like to create a tunnel network to make routing and policy creation (acls, iptables) easier. So in this case, I would create a subinterface and give it an ip of say 10.10.91.1/30 and on the cisco device, the ip would be 10.10.91.2/30. If the answer to 3) is yes, then just add a route for 192.168.1.0/24 going to eth0:1 (or 10.10.91.1). Conversely on the Cisco, you add a route for 10.10.90/24 to point to 10.10.91.2. This will then route the appropriate traffic through the tunnel to the other network. If anything, I hope this helps you get on the right track! =) -Mike