[Openswan Users] Problems with IPsec on native 2.6.4
Michal Ludvig
michal-list at logix.cz
Tue Mar 16 17:08:24 CET 2004
Hi all,
I've got serious problems with configuring Openswan-2 on native 2.6.4
kernel.
My situation is:
10.20.0.0/20
(office network)
|
|
|
10.20.0.1/20
(router)
10.20.16.2/30
|
10.20.16.1/30
[GW, IPsec gateway]
ip.ad.dr.es =====[ ipsec tunnel ]======= a.d.d.r
| 10.0.0.1
| |
| rest of the 10.0.0.0/8 network
| (headq)
a.b.c.d
(homeworker)
10.20.112.1/24
The problem is with the GW:
There is:
conn headq
left=10.20.0.0/16
right=10.0.0.0/8
conn homeworker
left=10.20.112.0/24
right=10.0.0.0/8
With this setup, 'office' can access 'headq', 'homeworker' can access
'headq', but 'office' and 'homeworker' can't access eachother.
I also had to explicitly add these SPDs so that GW could access 'office'
and the router's external interface:
spdadd 10.20.16.0/30 10.20.0.0/20 any -P out none;
spdadd 10.20.16.1 10.20.16.2 any -P out none;
I observed that on the homeworker's machine there are SPD entries 'in',
'out' and 'fwd' for 10.0.0.0/8 and 10.20.112.0/24 networks. However on
the GW there are only 'out' entries for every connection. I tried to
manually add new SPD entries in the office <-> homeworker directions,
but no luck.
The problem is, that the tunnel 10.20.0.0/16 <==> 10.0.0.0/8 covers
almost every possible traffic (e.g. homeworker->office falls into there
as well) and so it's incorrectly encapsulated and routed.
Does anyone have an idea how to configure it?
Thanks in advance!
Michal Ludvig
More information about the Users
mailing list