On Fri, Aug 29, 2008 at 1:11 PM, Ben Francom <bfrancom@gmail.com> wrote:
Greetings,
I'm gradually replacing our aging BorderManager VPN's w/ Openswan and
Cisco.  I'm trying to overcome some routing issues with the new
configuration.  Here is the setup:

10.10.90.0/24===aa.bb.cc.187---aa.bb.cc.190...dd.ee.ff.33---dd.ee.ff.46===192.168.1.0/24

Left Network [Linux OpenSwan]   Site-to-Site VPN        Right Network [Cisco ASA 5505]
Public VPN IP: aa.bb.cc.187             <-->            Public VPN IP: dd.ee.ff.46
Internal Network: 10.10.90.0/24 <-->            Internal Network: 192.168.1.0/24
Openswan Internal IP: 10.10.90.3        <-->            Cisco Internal IP: 192.168.1.1

The tunnel is up, and:
I can ping from Cisco LAN (192.168.1.x) to Openswan server (10.10.90.3)
I can NOT ping from Cisco LAN to Openswan LAN

I can NOT ping from Openswan to Cisco (Anything)

Openswan route:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
aa.bb.cc.184    *               255.255.255.248 U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
10.10.90.0      *               255.255.255.0   U     0      0        0 eth0
10.10.90.0      *               255.255.255.0   U     0      0        0 eth1
link-local      *               255.255.0.0     U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         aa.bb.cc.190    0.0.0.0         UG    0      0        0 eth1

What other routes might I need on the Linux side?  The goal is to have
both LAN's communicate using any protocol.

I can post the Cisco config if needed.
Thanks in advance for any advice.

-Ben

Couple questions:

1) Why are there 2 routes for 10.10.90.0/24 going to 2 different interfaces?
2) What interface is the tunnel bound to on the linux side?
3) Is this openswan box alse the default gateway for the 10.10.90/24 network? and the Cisco?

It's been a while since I used a Cisco device to setup a vpn as I've been using Junipers ScreenOS (awesome device BTW, much much better than a pix), so I can't quite recall how to do it off the top of my head.

Personally, I like to create a tunnel network to make routing and policy creation (acls, iptables) easier.  So in this case, I would create a subinterface and give it an ip of say 10.10.91.1/30 and on the cisco device, the ip would be 10.10.91.2/30.

If the answer to 3) is yes, then just add a route for 192.168.1.0/24 going to eth0:1 (or 10.10.91.1).  Conversely on the Cisco, you add a route for 10.10.90/24 to point to 10.10.91.2.  This will then route the appropriate traffic through the tunnel to the other network.

If anything, I hope this helps you get on the right track! =)

-Mike