[Openswan Users]

John A. Sullivan III john.sullivan at nexusmgmt.com
Mon Oct 11 13:17:22 CEST 2004


On Mon, 2004-10-11 at 11:55, tomk at runbox.com wrote:
> For anyone in a rush, here's the question: If I set up a host-to-net
> VPN between Host A on Network A and all machines on Network B, does it
> only carry traffic with those particular source and destination
> parameters? Or can it also carry traffic  originating from Host A and
> going to destinations beyond Network B?
> 
> If you have a bit more time, here's the background: I'm using Openswan
> to secure my wireless network, so I have my AP + Debian laptop on
> network 10.12.62.0/24, and my main network on 192.168.10.0/24. In the
> middle of those, I have IPCop 1.4.0, which includes Openswan, and I
> have also installed and configured Openswan on the laptop. IPCop is
> also connected to the internet, and internet access is functioning on
> both 10.12.62.0 and 192.168.10.0. Without the IPSec tunnel, the
> wireless network cannot access the main network - this is as intended.
> When I bring the tunnel up, the laptop CAN access the main network,
> but it CANNOT access the internet. So it seems that the tunnel will
> only carry traffic between the specified source and destination,
> whereas I expected (wrongly?) that it would also carry traffic
> originating from the laptop, passing through IPCop, and heading out to
> the internet.
> 
> Was my original expectation incorrect? If so, is there something I can
> do to enable all traffic from the laptop to use the tunnel?
<snip>
Yes, the tunnel will only carry what you tell it to carry.  If you've
only told it to carry traffic for 192.168.10.0/24, that's all it will
do.  If you want all traffic to flow through the tunnel, you could make
the target subnet 0.0.0.0/0.0.0.0 rather than 192.168.10.0/24.  I
believe that's how we did our GNOC setup as described in the training
slides on http://iscs.sourceforge.net).  Hope this helps - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



More information about the Users mailing list