<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2627" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>Hi,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>
<DIV><FONT face=Arial size=2>This request has been posted on both OpenSWAN and
OpenVPN support forums. The first one to solve this will be highly honoured on
both locations. ;-)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></DIV>
<DIV><FONT face=Arial size=2>I have a Linux gateway using kernel 2.4.25,
running FreeSWAN 2.06 and OpenVPN 2.0. The gateway has one public IP on eth0,
one private IP on eth1 and is through ipsec0(eth0) interface building three
IPSEC tunnels to our corporate private network. OpenVPN uses the tun0 interface
for road warriors. The gateway is firewalled by iptables because it
provides internet access for the private network on eth1 and the OpenVPN road
warriors. NAT is enabled for traffic to internet and for traffic from
the OpenVPN subnet which is not known by any corporate router.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>eth0 Public internet</FONT></DIV>
<DIV><FONT face=Arial size=2>eth1 10.200.1.0/24 private
network</FONT></DIV>
<DIV><FONT face=Arial size=2>ipsec0 10.0.0.0/8 corporate network</FONT></DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>ipsec0 10.200.2.0/24 corporate network
<DIV><FONT face=Arial size=2>ipsec0 10.200.3.0/24 corporate
network</FONT></DIV></FONT></DIV></FONT></DIV>
<DIV><FONT face=Arial size=2>tun0 10.200.100.0/24
OpenVPN network</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I don't have to worry at all because at
present this scenario works well, but personal curiosity
and desire to stay up to date
with latest developments has made me started experimenting
with various versions of 2.6 kernels together with FreeSWAN
but also OpenSWAN 2.3.0/2.3.1. However, so far I have not had complete
success running ipsec and OpenVPN simultaneously.
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>When testing I have disabled the firewall apart
from NAT. </FONT></DIV>
<DIV><FONT face=Arial size=2>ipsec0 interface is removed from all scripts when
using 2.6 kernels.</FONT></DIV>
<DIV><FONT face=Arial size=2>All ip_forward flags in kernel are set to
1.</FONT></DIV>
<DIV><FONT face=Arial size=2>With only OpenVPN running, road warriors can access
private network on eth1 as well as internet on eth0. Starting ipsec service will
for some reason block road warriors from the private network and corporate
private network, but they can reach the public internet.</FONT></DIV>
<DIV><FONT face=Arial size=2>Apart from the ipsec0 interface the output from
commands route and ip route looks similar for the 2.4 and 2.6
kernels.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>When ipsec is running with kernel 2.6 almost
everything seems normal between the private and the corporate networks. I say
almost because I have discovered a funny replication and mail routing problem
between Lotus Domino servers, this will be the next problem to solve before
trashing 2.4.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Can anyone give a clue or tell me the reason why
routing does not work between OpenVPN clients and any of the private 10.x.x.x
networks on kernel 2.6?</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Many thanks in advance</FONT></DIV>
<DIV><FONT face=Arial size=2>brgds</FONT></DIV>
<DIV><FONT face=Arial size=2>Ole M.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></FONT></DIV></BODY></HTML>