[Openswan Users] Problem of routing under openswan

Herbert Xu herbert at gondor.apana.org.au
Tue Jun 29 13:23:19 CEST 2004


Paul Wouters <paul at xelerance.com> wrote:
> 
>> A tunnel is established through eth1 with subnet 10.2.0.0/16. Since on the opposite side of this tunnel there is another tunnel towards 10.3.0.0/16
>> I had an idea, a few years ago, to say that the first tunnel is established with subnet 10.0.0.0/8 (an no more with 10.2.0.0/16).
>> Why ? In order to see (to ping and reach the SNMP agent) every other machine from the headquarters.
> 
> This is a known limitation of the current 2.6 native ipsec stack. Use KLIPS
> instead. KLIPS for openswan is planned for version 2.3. You can try Nate's

This is not a limitation at all.  It's a feature.

If you want to make an exception for a subrange, you should setup
a pass policy in Openswan/Racoon.  For example, 

conn workaround
	left=192.168.4.1
	leftsubnet=10.2.0.0/16
	right=192.168.4.2
	rightsubnet=10.3.0.0/16
	type=passthrough
	auto=add
-- 
Visit Openswan at http://www.openswan.org/
Email:  Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


More information about the Users mailing list