[Openswan Users] Tricky routing question

John A. Sullivan III john.sullivan at nexusmgmt.com
Mon Sep 6 13:10:06 CEST 2004

On Mon, 2004-09-06 at 11:00, Ralf Guenthner wrote:
> > acceptable traffic and DROP all unallowed traffic.  For the allowed
> > traffic, routing will take over and pass the NetB traffic through the
> > tunnel to GwB.  As long as the reply packets are sent to GwB, GwBwill
> > send them back to GwA which will send them back to the RW.  You will be
> I'm afraid this is where my know-how wears thin... Of course GwA already 
> has a route to NetB over interface ipsec0. Now let's say that an icmp 
> packet from a RW with DHCP-assigned source address arrives, 
> destined for an address on NetB. Does GwA route this packet into the 
> other tunnel for the site-to-site vpn automatically or do I have to set 
> up an additional tunnel between GwA and GwB for the RW-DHCP-net first?
It has been a while since I've done this but I believe you will need the
connection definition between RW-DHCP-net and NetB.  That will take care
of the routing issues between the gateways.  You will then need to make
sure that the end points send packets destined for RW-DHCP-net back
through GwB.  That will happen automatically if GwB is their default
> Phew..I'm beginning to think it would be more feasible for users and me 
> as the poor admin alike to put the RW certs on GwB and have them set up 
> a second connection definition in Sentinel... Wouldn't you agree?
No.  From my experience as a network architect and then as CTO/CIO, I am
a great believer is centralized control. The cost of management quickly
outstrips the cost of most technologies.  If you place the routing on
the gateways, you only configure it in two places.  If you place it on
the clients, you must configure it wherever you have a client.  What
happens when the configuration changes or you add another office or
subnet? The Sentinel configuration manager will help but I would still
rather minimize my configuration points.

You may also have a problem with DHCP-over-IPSec.  I believe Sentinel
restricts you to only one virtual interface.  That means you can use the
DHCP-over-IPSec connection for only one connection definition.  If you
have two, you will only be able to use DHCP-over-IPSec for one - or at
least, that's the way it used to work.

I suggest you invest in the learning curve to get the gateways
configured correctly and make the clients as simple as possible.  Of
course, that's just my opinion but I think it is well founded - John
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit

More information about the Users mailing list