[Openswan Users] Extruded subnets with 2.6 kernel ipsec
Tom Hughes
thh at cyberscience.com
Sun Aug 8 18:18:27 CEST 2004
I just upgraded my firewall box at home to Fedora Core 2 and as a result
had to switch from freeswan 2.04 to to openswan 2.1.4 in order to get
my VPN link working with the 2.6 kernel ipsec code.
Although the VPN link came up straight away without any problems or
changes to my config I found that all my local network connectivity
vanished at the same time.
One unusual feature of my setup is that my home network is a subnet
that has been extruded from the office network - the connection looks
like this:
# Connection to work
conn cyberscience
# Left security gateway
left=213.38.135.130
leftnexthop=213.38.135.129
leftsubnet=172.16.0.0/12
leftid=@gate.uk.cyberscience.com
leftrsasigkey=...
# Right security gateway
right=217.169.19.106
rightnexthop=217.169.19.105
rightsubnet=172.16.9.0/28
rightsourceip=172.16.9.1
rightid=@gate.compton.nu
rightrsasigkey=...
# Start this connection automatically
auto=start
After playing about a bit I worked out that the security policy that
openswan was creating was catching local packets as well as the ones
intended for the VPN tunnel, hence my problem.
Th only solution I have found so far is to add a dummy connection for
each local machine along these lines:
# Communicate with loxley in the clear
conn loxley
left=172.16.9.1
right=172.16.9.4
type=passthrough
authby=never
auto=route
The question is, is there any better solution? Could openswan be
modified to recognise the case where one end is a subnet of the other
and automatically add an appropriate hole to the security policy?
Is there at least a way of writing a connection description that
would exempt the whole of the local network rather than having to
do it on a host-by-host basis? I did try a few things but they
didn't seem to work.
Tom
--
Tom Hughes (thh at cyberscience.com)
Software Engineer, Cyberscience Corporation
http://www.cyberscience.com/
More information about the Users
mailing list