[Openswan Users] Odd route problem

Tomasz Grzelak tgrzelak at wktpolska.com.pl
Mon Apr 11 10:05:16 CEST 2005 

Gary W. Smith wrote:

>I've created separate cons for each one and it works (as expected) but I
>end up with 14 routes per site.  I guess the proper long term strategy
>would be to ensure that the ranges for each site setup based on
>different subnets.
>
>  
>
I suggest a strategy based on dividing networks to subnets from 
different classes and aggregate routes. For example, use a 10.0.0.0 
class for ipsec networks, and 172.16.0.0 for 'normal' traffic.
Then, if you create networks 10.40.0.0/16, 10.48.0.0/16, 10.56.0.0/16, 
you can aggregate them to 10.32.0.0/11, and use it to create a single 
conn in the ipsec.conf (10.32.0.0 with the 255.224.0.0 mask covers the 
three example networks).

network:    |   second byte:  |   mask:
10.40.0.0   |   001 01000     |   255.255.0.0  (16 bits)
10.48.0.0   |   001 10000     |   255.255.0.0  (16 bits)
10.56.0.0   |   001 11000     |   255.255.0.0  (16 bits)
aggregate:
10.32.0.0   |   001 00000     |   255.224.0.0  (11 bits)


And, for example, if you have 172.16.0.0/16, and 172.20.0.0/16 networks 
for unencrypted traffic they will not interferre with the ipsec networks.

Tomasz Grzelak

>Gary
>
>-----Original Message-----
>From: Tomasz Grzelak [mailto:tgrzelak at wktpolska.com.pl] 
>Sent: Sunday, April 10, 2005 10:55 PM
>To: Gary W. Smith; users at openswan.org
>Subject: Re: [Openswan Users] Odd route problem
>
>Gary W. Smith wrote:
>
>  
>
>>Hello,
>>
>>    
>>
>Hi!
>
>  
>
>>I have a bunch of odd routes at one end of the tunnel that I would 
>>like to access with an ipsec tunnel but I have been running into
>>    
>>
>problems.
>  
>
>>I have a couple different subnets on the server side 10.0.0.0/24, 
>>10.0.8.0/24, 10.1.0.0/16 and 10.0.2.0/24. The network that I'm trying 
>>to connect up is 10.0.12.0/24. I added 10.0.0.0/8 to the .conf file 
>>and was able to establish the connection from the server and ping to 
>>the remote network but once I do that all of my requests for the local
>>    
>>
>
>  
>
>>network are going through the tunnel. This seems to be an expected 
>>side effect of the 10.0.0.0/8.
>>
>>Shouldn't ipsec see the 10.0.12.0/24 as a local network?
>>
>>    
>>
>no, it shouldn't. A subnet 10.0.0.0/8 is something like an aggregate 
>route for the networks above, and it covers all of your networks because
>
>of the 255.0.0.0 mask. Define different conns for your networks with the
>
>255.255.255.0 mask, leaving the 10.0.12.0/24 subnet.
>
>Tomasz Grzelak
>
>
>  
>

More information about the Users mailing list