<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.6944.0">
<TITLE>Routing Question</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>This is a bit OT, but I'm hoping someone here can give me some insight</FONT>
</P>
<P><FONT SIZE=2>I have my openswan machine setup to essentially allow secure access to </FONT>
<BR><FONT SIZE=2>our internal WAN. The machine has both a public IP(on eth1) and private </FONT>
<BR><FONT SIZE=2>IP(on eth0).</FONT>
</P>
<P><FONT SIZE=2>I have no problem routing clients between subnets that terminate on the </FONT>
<BR><FONT SIZE=2>openswan box, my problem lies in routing clients outside of the openswan </FONT>
<BR><FONT SIZE=2>box(via eth0).</FONT>
</P>
<P><FONT SIZE=2>When I set my default gateway to the public IP on ETH1 openswan works </FONT>
<BR><FONT SIZE=2>perfectly(even for incoming dynamic IP clients), however routing is a </FONT>
<BR><FONT SIZE=2>chore as I have to define static routes to all of my internal subnets.</FONT>
</P>
<P><FONT SIZE=2>When I set my default gateway to the IP on ETH0, forwarding to another </FONT>
<BR><FONT SIZE=2>router, internal routing works perfectly, but all of my inbound IPSEC </FONT>
<BR><FONT SIZE=2>tunnels from dynamic clients fail(timeout).</FONT>
</P>
<P><FONT SIZE=2>My question(s) are:</FONT>
</P>
<P><FONT SIZE=2>1. Which is better, default gw of the public IP, or the internal IP?</FONT>
<BR><FONT SIZE=2>2. Could policy routing help?</FONT>
</P>
<P><FONT SIZE=2>I'm essentially trying to route all traffic from all offices through one </FONT>
<BR><FONT SIZE=2>router, it runs the transparent proxy.</FONT>
</P>
<P><FONT SIZE=2>Let me give the ol ASCII art example:</FONT>
</P>
<P><FONT SIZE=2>Site1 (192.168.10.0/24)<----->Public IP at </FONT>
<BR><FONT SIZE=2>Site1(12.178.243.42)<------>Public IP on </FONT>
<BR><FONT SIZE=2>openswan(12.91.90.76)<------>Private IP on </FONT>
<BR><FONT SIZE=2>openswan(192.168.1.17/24)<---->Private </FONT>
<BR><FONT SIZE=2>Router(192.168.1.1/24)<----->Public IP on </FONT>
<BR><FONT SIZE=2>router(12.191.90.67)<----->Internet</FONT>
</P>
<P><FONT SIZE=2>Essentially any packet from Site1, designated for the internet at large, </FONT>
<BR><FONT SIZE=2>should pass through all of the hosts above.</FONT>
<BR><FONT SIZE=2>If the packet happens to be directed at an internal LAN client, the </FONT>
<BR><FONT SIZE=2>"Private Router" machine will route it appropriately.</FONT>
</P>
</BODY>
</HTML>