<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7226.0">
<TITLE>Netherlands / Gateway out of subnet</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>Hey there,<BR>
<BR>
we're having an issue with openswan (on corporate smoothwall v4) we're trying to resolve. Here in the Netherlands it is pretty common for ISP's to give you a gateway completely out of your subnet. For example, you get as IP 2.2.2.2/24 and as gateway 1.1.1.1. Mostly this works fine, as your DHCP/Router/TCP/IP stack does something like this:<BR>
<BR>
route add -host 1.1.1.1 dev eth1<BR>
<BR>
Which makes it a next hop and so<BR>
<BR>
route add default gw 1.1.1.1<BR>
<BR>
will work.<BR>
<BR>
However, it doesn't work with openswan. While building op the connection Openswan tries something like this:<BR>
<BR>
route add 192.168.0.0/24 dev ipsec0 gw 1.1.1.1<BR>
<BR>
and will error out with:<BR>
SIOCADDRT: Network is unreachable<BR>
because it doesn't see the gateway address as a next hop probably.<BR>
<BR>
Strange enough it _does_ work if you replace the ipsec0 device name with one of the ethernet device names (but that won't do anything ofcourse).<BR>
<BR>
Because it does work with ethernet devices I think it has to do with the implementation of Openswan. It appears that it only checks the subnets to see if it can reach something (as next hop) and not the routing tables.<BR>
<BR>
Is there anyone that can shed some light on this?<BR>
<BR>
Kind regards<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>