Not familiar with OpenSWAN, but in OpenVPN sometimes you have to push routes to the clients to force traffic through.
Does your routing table look right? On 7/9/2015 10:44 AM, Matt Shields wrote: > Does anyone have a working OpenSWAN config or can you see what the issue > might be below? Current test environment is two Amazon VPC's with a VPN > server NAT'd behind firewall, UDP ports 500 & 4500 are being forwarded. > I'm using the config below and it "seems" to connect, but can't ping/ssh to > anything on either side. > > DC1: > - External IP x.x.x.x > - Internal Subnet 10.10.0.0/16 > > DC2: > - External IP y.y.y.y > - Internal Subnet 192.168.0.0/24 > > #this config resides on DC1 vpn server > config setup > # Debug-logging controls: "none" for (almost) none, "all" for lots. > # klipsdebug=none > # plutodebug="control parsing" > # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey > # interfaces=%defaultroute > klipsdebug=none > # nhelpers=0 > plutodebug=none > plutostderrlog=/var/log/pluto.log > protostack=netkey > nat_traversal=yes > virtual_private=%v4:10.10.0.0/16,%v4:!192.168.0.0/24 > oe=off > # Enable this if you see "failed to find any available worker" > # nhelpers=0 > # forceencaps=yes > conn dc1-to-dc2 > auto=start > type=tunnel > > left=10.10.10.43 > leftsourceip=x.x.x.x > leftsubnet=10.10.0.0/16 > leftid=x.x.x.x > > right=y.y.y.y > rightsubnet=192.168.0.0/24 > rightid=y.y.y.y > > #phase 1 encryption-integrity-DiffieHellman > keyexchange=ike > ike=3des-md5-modp1024,aes256-sha1-modp1024 > ikelifetime=86400s > authby=secret #use presharedkey > rekey=yes #should we rekey when key lifetime is about to expire > > #phase 2 encryption-pfsgroup > phase2=esp #esp for encryption | ah for authentication only > phase2alg=3des-md5;modp1024 > pfs=no > forceencaps=yes > > #this config resides on DC2 vpn server > config setup > # Debug-logging controls: "none" for (almost) none, "all" for lots. > # klipsdebug=none > # plutodebug="control parsing" > # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey > # interfaces=%defaultroute > klipsdebug=none > # nhelpers=0 > plutodebug=none > plutostderrlog=/var/log/pluto.log > protostack=netkey > nat_traversal=yes > virtual_private=%v4:192.168.0.0/24,%v4:!10.10.0.0/16 > oe=off > # Enable this if you see "failed to find any available worker" > # nhelpers=0 > # forceencaps=yes > conn dc2-to-dc1 > auto=start > type=tunnel > > left=192.168.0.22 > leftsourceip=y.y.y.y > leftsubnet=192.168.0.0/24 > leftid=y.y.y.y > > right=x.x.x.x > rightsubnet=10.10.0.0/16 > rightid=x.x.x.x > > #phase 1 encryption-integrity-DiffieHellman > keyexchange=ike > ike=3des-md5-modp1024,aes256-sha1-modp1024 > ikelifetime=86400s > authby=secret #use presharedkey > rekey=yes #should we rekey when key lifetime is about to expire > > #phase 2 encryption-pfsgroup > phase2=esp #esp for encryption | ah for authentication only > phase2alg=3des-md5;modp1024 > pfs=no > forceencaps=yes > > Matt > _______________________________________________ > Discuss mailing list > [email protected] > http://lists.blu.org/mailman/listinfo/discuss > _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
