[Openswan Users] Extruded subnets with 2.6 kernel ipsec
thh at cyberscience.com
Sun Aug 8 18:18:27 CEST 2004
I just upgraded my firewall box at home to Fedora Core 2 and as a result
had to switch from freeswan 2.04 to to openswan 2.1.4 in order to get
my VPN link working with the 2.6 kernel ipsec code.
Although the VPN link came up straight away without any problems or
changes to my config I found that all my local network connectivity
vanished at the same time.
One unusual feature of my setup is that my home network is a subnet
that has been extruded from the office network - the connection looks
# Connection to work
# Left security gateway
# Right security gateway
# Start this connection automatically
After playing about a bit I worked out that the security policy that
openswan was creating was catching local packets as well as the ones
intended for the VPN tunnel, hence my problem.
Th only solution I have found so far is to add a dummy connection for
each local machine along these lines:
# Communicate with loxley in the clear
The question is, is there any better solution? Could openswan be
modified to recognise the case where one end is a subnet of the other
and automatically add an appropriate hole to the security policy?
Is there at least a way of writing a connection description that
would exempt the whole of the local network rather than having to
do it on a host-by-host basis? I did try a few things but they
didn't seem to work.
Tom Hughes (thh at cyberscience.com)
Software Engineer, Cyberscience Corporation
More information about the Users