<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>
Sheng , <br> If this is what you want to do :-<br> 1) All traffic from Router A to go out through Router B<br> 2) Specific routes from Router A to go outside the tunnel through Router A itself<br> <br> then yes it is possible.<br><br>Here is one of the ways to achieve this.<br><br>1) Exclude specific traffic from the tunnel<br>ip xfrm policy update dir in src 10.10.3.0/24 dst 4.4.4.4<br>ip xfrm policy update dir out src 10.10.3.0/24 dst 4.4.4.4<br>ip xfrm policy update dir fwd src 10.10.3.0/24 dst 4.4.4.4<br><br>2) Build a full tunnel from Router A to Router B<br>
ipsec configuration on Router A like :-<br>
leftsubnet=10.10.3.0/24<br>
rightsubnet=0.0.0.0/0<br><br>You should execute the commands in step 1 before you add the ipsec connections defined in step 2 . Hope this helps.<br><br><span style="font-family:Tahoma,Helvetica,Sans-Serif;font-style:italic;font-weight:bold">-<span style="font-family:Times New Roman,Times,Serif"> Simon Charles - </span></span><br><br><br><div><div id="SkyDrivePlaceholder"></div>> Date: Mon, 16 Jul 2012 16:53:42 -0700<br>> Subject: Re: [Openswan Users] Is there anyway to setup static route with NETKEY stack?<br>> From: sheng@yasker.org<br>> To: charlessimon@hotmail.com<br>> CC: users@lists.openswan.org<br>> <br>> Hi Simon,<br>> <br>> Thanks for reply!<br>> <br>> However, the configuration is what I cannot figure out now.<br>> <br>> For example,<br>> <br>> local left router A right router<br>> B remote subnets<br>> 10.10.3.0/24 ---- 222.222.222.7 221.221.221.7 ------ 172.16.10.1/24<br>> | |<br>> | |<br>> | |<br>> | |<br>> Internet ============= Internet<br>> <br>> So, can I configure that, if host in local subnet want to access e.g.<br>> 8.8.8.8, the traffic have to go through router B rather than router<br>> A(NAT disabled) and reach the internet? And at the same time, if host<br>> want to access e.g. 4.4.4.4, the traffic would go through router A?<br>> <br>> --Sheng<br>> <br>> On Mon, Jul 16, 2012 at 4:39 PM, simon charles <charlessimon@hotmail.com> wrote:<br>> > Sheng ,<br>> > Can you provide your configuration so we may look at it and make<br>> > recommendations. It would help if you describe the network layout of your<br>> > remote site / local site , how they are connected and what you are trying<br>> > to achieve at the remote site / local site.<br>> > Thanks.<br>> ><br>> > - Simon Charles -<br>> ><br>> ><br>> >> Date: Mon, 16 Jul 2012 16:32:46 -0700<br>> >> From: sheng@yasker.org<br>> >> To: users@lists.openswan.org<br>> >> Subject: [Openswan Users] Is there anyway to setup static route with<br>> >> NETKEY stack?<br>> ><br>> >><br>> >> Hi,<br>> >><br>> >> I've dived in Google and this mailing's archive for quite some time,<br>> >> but still fail to find a way to specify static route per our<br>> >> requirement in NETKEY stack.<br>> >><br>> >> The scenario is somehow easy to understand: we want to route any<br>> >> traffic our specified through the ipsec tunnel.<br>> >><br>> >> Currently the configuration works well for certain subnets(we had to<br>> >> specify them in rightsubnets of ipsec.conf). But when it comes to<br>> >> redirect other traffic through the ipsec tunnel. E.g. we may want to<br>> >> let remote gateway(on the other side of ipsec tunnel) handle local<br>> >> traffic to the Internet. We can't figure out a way to do that with<br>> >> NETKEY stack.<br>> >><br>> >> Seems with KLIPS, we can simply add ip route for that. I've checked ip<br>> >> xfrm, but still can't figure out a way to do that.<br>> >><br>> >> When searching for possible methods, I saw someone said "No, there is<br>> >> no way to do so", but I still want to confirm that. Because if NETKEY<br>> >> would replace KLIPS, why we cannot do the same thing as in KLIPS(if I<br>> >> understand right)?<br>> >><br>> >> Thanks in advance!<br>> >><br>> >> --Sheng<br>> >> _______________________________________________<br>> >> Users@lists.openswan.org<br>> >> https://lists.openswan.org/mailman/listinfo/users<br>> >> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>> >> Building and Integrating Virtual Private Networks with Openswan:<br>> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br></div> </div></body>
</html>