On Fri, Aug 29, 2008 at 1:11 PM, Ben Francom <bfrancom@gmail.com> wrote:

> Greetings,
> I'm gradually replacing our aging BorderManager VPN's w/ Openswan and
> Cisco.  I'm trying to overcome some routing issues with the new
> configuration.  Here is the setup:
>
>
> 10.10.90.0/24===aa.bb.cc.187---aa.bb.cc.190...dd.ee.ff.33---dd.ee.ff.46===192.168.1.0/24
>
> Left Network [Linux OpenSwan]   Site-to-Site VPN        Right Network
> [Cisco ASA 5505]
> Public VPN IP: aa.bb.cc.187             <-->            Public VPN IP:
> dd.ee.ff.46
> Internal Network: 10.10.90.0/24 <-->            Internal Network:
> 192.168.1.0/24
> Openswan Internal IP: 10.10.90.3        <-->            Cisco Internal IP:
> 192.168.1.1
>
> The tunnel is up, and:
> I can ping from Cisco LAN (192.168.1.x) to Openswan server (10.10.90.3)
> I can NOT ping from Cisco LAN to Openswan LAN
>
> I can NOT ping from Openswan to Cisco (Anything)
>
> Openswan route:
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> aa.bb.cc.184    *               255.255.255.248 U     0      0        0
> eth1
> 192.168.1.0     *               255.255.255.0   U     0      0        0
> eth1
> 10.10.90.0      *               255.255.255.0   U     0      0        0
> eth0
> 10.10.90.0      *               255.255.255.0   U     0      0        0
> eth1
> link-local      *               255.255.0.0     U     0      0        0
> eth0
> loopback        *               255.0.0.0       U     0      0        0 lo
> default         aa.bb.cc.190    0.0.0.0         UG    0      0        0
> eth1
>
> What other routes might I need on the Linux side?  The goal is to have
> both LAN's communicate using any protocol.
>
> I can post the Cisco config if needed.
> Thanks in advance for any advice.
>
> -Ben
>

Couple questions:

1) Why are there 2 routes for 10.10.90.0/24 going to 2 different interfaces?
2) What interface is the tunnel bound to on the linux side?
3) Is this openswan box alse the default gateway for the 10.10.90/24
network? and the Cisco?

It's been a while since I used a Cisco device to setup a vpn as I've been
using Junipers ScreenOS (awesome device BTW, much much better than a pix),
so I can't quite recall how to do it off the top of my head.

Personally, I like to create a tunnel network to make routing and policy
creation (acls, iptables) easier.  So in this case, I would create a
subinterface and give it an ip of say 10.10.91.1/30 and on the cisco device,
the ip would be 10.10.91.2/30.

If the answer to 3) is yes, then just add a route for 192.168.1.0/24 going
to eth0:1 (or 10.10.91.1).  Conversely on the Cisco, you add a route for
10.10.90/24 to point to 10.10.91.2.  This will then route the appropriate
traffic through the tunnel to the other network.

If anything, I hope this helps you get on the right track! =)

-Mike