I have created an IPSec VPN between two "sites" using Virtual Machines and Openswan for the IPSec tunnel.
My configuration: I created 3 host-only networks, one for each "site" and the third to connect the openswan servers (emulating a connection over the Internet). Centos 7.
So, in terms of networks, I have: vboxnet0: 192.168.56.0/24 - the first site's network vboxnet1: 192.168.57.0/24 - the second site's network vboxnet2: 192.168.58.0/24 - the "Internet"
I have the following VMs: Openswan1: attached to vboxnet0 (IP 192.168.56.106) and vboxnet2 (IP 192.168.58.3) Openswan2: attached to vboxnet1 (IP 192.168.57.8) and vboxnet2 (IP 192.168.58.4) Server1: attached only to vboxnet0 (IP 192.168.56.107) (this is a server in the first "site") Server2: attached only to vboxnet1 (IP 192.168.57.9) (this is a server in the second "site")
I enabled IPSec VPN Openswan and then I can ping server2 from server1, and server1 from server2, as expected.
For better understading, the path created when I try to go from server1 to server2, is: server1 ==(vboxnet0)==> openswan1 ==(vboxnet2, IPSec)==> openswan2 ==(vboxnet1)==> server2
The tunnel is working properly for PINGs:
[root@server1 ~]# ping 192.168.57.9 PING 192.168.57.9 (192.168.57.9) 56(84) bytes of data. 64 bytes from 192.168.57.9: icmp_seq=16 ttl=62 time=1.26 ms 64 bytes from 192.168.57.9: icmp_seq=17 ttl=62 time=0.860 ms 64 bytes from 192.168.57.9: icmp_seq=18 ttl=62 time=0.980 ms
The problem is when I try to SSH from server1 to server2 or vice-versa, I get "No route to host" error.
[root@server1 ~]# ssh root@192.168.57.9 ssh: connect to host 192.168.57.9 port 22: No route to host
Tcpdump in openswan1 shows the following messages:
11:34:37.083444 IP 192.168.56.107.47014 > 192.168.57.9.ssh: Flags [S], seq 2476842671, win 29200, options [mss 1460,sackOK,TS val 3436092 ecr 0,nop,wscale 7], length 0 11:34:37.083506 IP openswan1.localdomain > 192.168.56.107: ICMP host 192.168.57.9 unreachable - admin prohibited, length 68 11:34:42.085686 ARP, Request who-has 192.168.56.107 tell openswan1.localdomain, length 28 11:34:42.086162 ARP, Reply 192.168.56.107 is-at 08:00:27:26:bc:c8 (oui Unknown), length 46
So, in summary, PING works under the IPSec VPN Tunner, but SSH don't.
Any ideas of what would be missing or wrong?
