Openswan to Cisco ASA 5505 VPN Help
Mike Bydalek
mbydalek at compunetconsulting.com
Fri Sep 12 07:45:32 MST 2008
On Fri, Aug 29, 2008 at 1:11 PM, Ben Francom <bfrancom at gmail.com> wrote:
> Greetings,
> I'm gradually replacing our aging BorderManager VPN's w/ Openswan and
> Cisco. I'm trying to overcome some routing issues with the new
> configuration. Here is the setup:
>
>
> 10.10.90.0/24===aa.bb.cc.187---aa.bb.cc.190...dd.ee.ff.33---dd.ee.ff.46===192.168.1.0/24
>
> Left Network [Linux OpenSwan] Site-to-Site VPN Right Network
> [Cisco ASA 5505]
> Public VPN IP: aa.bb.cc.187 <--> Public VPN IP:
> dd.ee.ff.46
> Internal Network: 10.10.90.0/24 <--> Internal Network:
> 192.168.1.0/24
> Openswan Internal IP: 10.10.90.3 <--> Cisco Internal IP:
> 192.168.1.1
>
> The tunnel is up, and:
> I can ping from Cisco LAN (192.168.1.x) to Openswan server (10.10.90.3)
> I can NOT ping from Cisco LAN to Openswan LAN
>
> I can NOT ping from Openswan to Cisco (Anything)
>
> Openswan route:
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> aa.bb.cc.184 * 255.255.255.248 U 0 0 0
> eth1
> 192.168.1.0 * 255.255.255.0 U 0 0 0
> eth1
> 10.10.90.0 * 255.255.255.0 U 0 0 0
> eth0
> 10.10.90.0 * 255.255.255.0 U 0 0 0
> eth1
> link-local * 255.255.0.0 U 0 0 0
> eth0
> loopback * 255.0.0.0 U 0 0 0 lo
> default aa.bb.cc.190 0.0.0.0 UG 0 0 0
> eth1
>
> What other routes might I need on the Linux side? The goal is to have
> both LAN's communicate using any protocol.
>
> I can post the Cisco config if needed.
> Thanks in advance for any advice.
>
> -Ben
>
Couple questions:
1) Why are there 2 routes for 10.10.90.0/24 going to 2 different interfaces?
2) What interface is the tunnel bound to on the linux side?
3) Is this openswan box alse the default gateway for the 10.10.90/24
network? and the Cisco?
It's been a while since I used a Cisco device to setup a vpn as I've been
using Junipers ScreenOS (awesome device BTW, much much better than a pix),
so I can't quite recall how to do it off the top of my head.
Personally, I like to create a tunnel network to make routing and policy
creation (acls, iptables) easier. So in this case, I would create a
subinterface and give it an ip of say 10.10.91.1/30 and on the cisco device,
the ip would be 10.10.91.2/30.
If the answer to 3) is yes, then just add a route for 192.168.1.0/24 going
to eth0:1 (or 10.10.91.1). Conversely on the Cisco, you add a route for
10.10.90/24 to point to 10.10.91.2. This will then route the appropriate
traffic through the tunnel to the other network.
If anything, I hope this helps you get on the right track! =)
-Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20080912/fc4aae65/attachment.htm
More information about the PLUG-discuss
mailing list