15

I'm trying to use Openswan (version 2.6.37) to connect an IPsec VPN from my local network to a remote site. Everything works fine when I just want to connect to a single subnet on the remote site. However, the remote site also has an extra subnet that I want to access.

This is my configuration:

conn myConn type=tunnel left=192.168.139.14 leftsubnet=192.168.139.0/24 leftxauthclient=yes right=X.X.X.X rightsubnet=172.16.1.0/24 keyexchange=ike auth=esp authby=secret phase2alg=3des-sha1 pfs=yes

When I replace rightsubnet with rightsubnets, like so:

rightsubnets={172.16.1.0/24 192.168.3.0/24}

...then the connection is created successfully but only the last subnet in the list is available. Any attempts to ping anything on the 172.16.1.0 subnet fails. If I swap the order of the subnets around then I can ping 172.16.1.X but can't ping anything on the other subnet. It's as if Openswan is only using the last subnet in the list to create a connection.

Am I doing something wrong here?

A little bit of extra information that I neglected to mention (although I'm not sure it's relevant): My Openswan client is behind a router using NAT and I have nat_traversal=yes in my ipsec.conf file.

Improve this question
6
  • Do you use VLANs? I had almost exactly the same problem and the issue was a VLAN error Commented Jan 19, 2013 at 2:32
  • Have you tried making two security associations, one for each subnet? Commented Jan 19, 2013 at 11:10
  • @Tyke, no I'm not using VLANs. My OpenSwan client is behind a router using NAT though - I've updated the question to reflect that. Commented Jan 23, 2013 at 10:32
  • @gimmesudo: I tried duplicating my configuration above for a new connection (connection myConn2), with everything identical except for the rightsubnet. When I use ipsec auto --up myConn I can ping 172.168.1.X. When I try to bring up the second connection (ipsec auto --up myConn2), I can ping 192.168.3.X but the first connection dies completely. Commented Jan 23, 2013 at 11:16
  • For conneting as a client on many IPSec routers (like Cisco), You'll simplier to use vpnc ! Commented Mar 2, 2013 at 17:13

5 Answers 5

Reset to default
3

Looks like the usual separator for the multiple subnets is a comma, but at least openswan-2.6.32 works with spaces too.

Interesting information should be logged to /var/log/secure which could contain clues why it isn't working. Also post the output of ip x s sh and ip x p sh.

Improve this answer
1
  • 1
    If you got here trying to switch from single host to multiple hosts, pay attention that the key for multiple subnets is in plural (rightsubnet*s*) instead of singular. Commented Jun 10, 2019 at 20:43
1

Make conn section configuration for each subnets on BOTH endpoints of the tunnel. Only one of them (the first started) will start a SA negotiation, the second (or more) will only make a new SPD of the further subnets.

Improve this answer
1
  • Unfortunately I can't do this as the remote endpoint is a third-party FortiGate router (not running OpenSwan). I'm starting to wonder if the problem may be related to the router not being able to cope with multiple tunnels between the same endpoints. Commented Feb 4, 2013 at 14:29
1

It looks like there's a bug in OpenSwan where the subnets list needs an extra comma at the end to work correctly. Try:

rightsubnets={172.16.1.0/24,192.168.3.0/24,}

Note the extra comma at the end.

Improve this answer
1
  • That is not the case, none of the test cases or examples have an extra comma. Commented Feb 17, 2017 at 17:28
1

If you use rightsubnets you have to use leftsubnets as well, not leftsubnet. Even if there's only one subnet on that side. The ipsec.conf man page doesn't do a great job of explaining this, but it's there.

I had the similar problems for months and just found the answer in openswan multiple subnets routing issue.

Improve this answer
2
  • 1
    Not the case. leftsubnets={singletone}, should be identical to leftsubnet=. (I wrote the code) Commented Feb 17, 2017 at 17:27
  • This was the solution that worked for me using libeswan 3.15. My left had a single subnet and the right had several. If I configured the left using leftsubnet= and the right using rightsubnets={} then only the last rightsubnet actually connected. Once I configured the left to use leftsubnets={} with the one subnet, it connected to all. Commented Aug 3, 2017 at 16:51
-3

It should be like this 

rightsubnets={172.16.1.0/24,192.168.3.0/24}

Use a comma (,) and not a space to separate entries.

Improve this answer
1
  • 1
    That seems to be what the answer from two years ago is saying. Commented May 15, 2015 at 8:20

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.