[Openswan Users] Erouting

[Alexander Samad]

On Tue, Mar 23, 2004 at 11:04:48AM -0500, simprix wrote:
> I have a setup like this remote site A <--------> Main Office <-------->
> Remote Site B, I have the tunnel's all setup and working except i can't ping
> remote site b from remote site A and vice versa.
> 
> ive tried this and nothing ipsec eroute --add --eraf inet --src 10.0.0.0/8
> --dst 192.168.2.0/24 --af inet --edst 134.21593.94 --spi 0x135 --proto tun
> but nothing do i need to do this on the main office site or both im kinda
> new to the eroute thing
I might be over simplifing this but your are going to need 4 ipsec
connections or atleast the policy for tunnel site a <-> main office
needs to include site B's addressing.

Unless of course your NAT ing in the main office, my guess is not


then at Site a you would have

conn atomain
	leftsubnet=192.168.2.0/24
	rightsubnet=192.168.1.0/24

conn atob
	leftsubnet=192.168.2.0/24
	rightsubnet=10.0.0.0/8

Site b you would have

conn btomain
	leftsubnet=10.0.0.0/8
	rightsubnet=192.168.1.0/24

conn btoa
	leftsubnet=10.0.0.0/8
	rightsubnet=192.168.2.0/24

Main office

conn maintoa
	leftsubnet=192.168.1.0/24
	rightsubnet=192.168.2.0/24

conn maintoartb
	leftsubnet=10.0.0.0/24
	rightsubnet=192.168.2.0/24

conn maintob
	leftsubnet=192.168.1.0/24
	rightsubnet=10.0.0.0/8

conn maintobrta
	leftsubnet=192.168.2.0/24
	rightsubnet=10.0.0.0/8

Then you still need all the right routing in place as well.

> 
> 
> my ip address scheme is remote site A = 192.168.2.0/24, main site =
> 192.168.1.0/24, remote site b = 10.0.0.0/8
> 
> Thanks
> 
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20040324/94ea7247/attachment.bin