Routing table looks good, on both sides I can see the other's routes in my routing table and it shows the correct next hop.
I'd much prefer OpenVPN, that's what we normally use for both employees and clients. I even have it linked to Active Directory, plus custom rules when they log in. But this client doesn't want to setup a host for OpenVPN on their side, they *only* use ipsec VPN's. Matt On Fri, Jul 10, 2015 at 6:58 PM, Matthew Gillen <[email protected]> wrote: > Not familiar with OpenSWAN, but in OpenVPN sometimes you have to push > routes to the clients to force traffic through. > > Does your routing table look right? > > On 7/9/2015 10:44 AM, Matt Shields wrote: > > Does anyone have a working OpenSWAN config or can you see what the issue > > might be below? Current test environment is two Amazon VPC's with a VPN > > server NAT'd behind firewall, UDP ports 500 & 4500 are being forwarded. > > I'm using the config below and it "seems" to connect, but can't ping/ssh > to > > anything on either side. > > > > DC1: > > - External IP x.x.x.x > > - Internal Subnet 10.10.0.0/16 > > > > DC2: > > - External IP y.y.y.y > > - Internal Subnet 192.168.0.0/24 > > > > #this config resides on DC1 vpn server > > config setup > > # Debug-logging controls: "none" for (almost) none, "all" for > lots. > > # klipsdebug=none > > # plutodebug="control parsing" > > # For Red Hat Enterprise Linux and Fedora, leave > protostack=netkey > > # interfaces=%defaultroute > > klipsdebug=none > > # nhelpers=0 > > plutodebug=none > > plutostderrlog=/var/log/pluto.log > > protostack=netkey > > nat_traversal=yes > > virtual_private=%v4:10.10.0.0/16,%v4:!192.168.0.0/24 > > oe=off > > # Enable this if you see "failed to find any available worker" > > # nhelpers=0 > > # forceencaps=yes > > conn dc1-to-dc2 > > auto=start > > type=tunnel > > > > left=10.10.10.43 > > leftsourceip=x.x.x.x > > leftsubnet=10.10.0.0/16 > > leftid=x.x.x.x > > > > right=y.y.y.y > > rightsubnet=192.168.0.0/24 > > rightid=y.y.y.y > > > > #phase 1 encryption-integrity-DiffieHellman > > keyexchange=ike > > ike=3des-md5-modp1024,aes256-sha1-modp1024 > > ikelifetime=86400s > > authby=secret #use presharedkey > > rekey=yes #should we rekey when key lifetime is about to expire > > > > #phase 2 encryption-pfsgroup > > phase2=esp #esp for encryption | ah for authentication only > > phase2alg=3des-md5;modp1024 > > pfs=no > > forceencaps=yes > > > > #this config resides on DC2 vpn server > > config setup > > # Debug-logging controls: "none" for (almost) none, "all" for > lots. > > # klipsdebug=none > > # plutodebug="control parsing" > > # For Red Hat Enterprise Linux and Fedora, leave > protostack=netkey > > # interfaces=%defaultroute > > klipsdebug=none > > # nhelpers=0 > > plutodebug=none > > plutostderrlog=/var/log/pluto.log > > protostack=netkey > > nat_traversal=yes > > virtual_private=%v4:192.168.0.0/24,%v4:!10.10.0.0/16 > > oe=off > > # Enable this if you see "failed to find any available worker" > > # nhelpers=0 > > # forceencaps=yes > > conn dc2-to-dc1 > > auto=start > > type=tunnel > > > > left=192.168.0.22 > > leftsourceip=y.y.y.y > > leftsubnet=192.168.0.0/24 > > leftid=y.y.y.y > > > > right=x.x.x.x > > rightsubnet=10.10.0.0/16 > > rightid=x.x.x.x > > > > #phase 1 encryption-integrity-DiffieHellman > > keyexchange=ike > > ike=3des-md5-modp1024,aes256-sha1-modp1024 > > ikelifetime=86400s > > authby=secret #use presharedkey > > rekey=yes #should we rekey when key lifetime is about to expire > > > > #phase 2 encryption-pfsgroup > > phase2=esp #esp for encryption | ah for authentication only > > phase2alg=3des-md5;modp1024 > > pfs=no > > forceencaps=yes > > > > Matt > > _______________________________________________ > > Discuss mailing list > > [email protected] > > http://lists.blu.org/mailman/listinfo/discuss > > > > _______________________________________________ > Discuss mailing list > [email protected] > http://lists.blu.org/mailman/listinfo/discuss > _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
