[Openswan Users] Odd route problem
Tomasz Grzelak
tgrzelak at wktpolska.com.pl
Mon Apr 11 10:05:16 CEST 2005
Gary W. Smith wrote:
>I've created separate cons for each one and it works (as expected) but I
>end up with 14 routes per site. I guess the proper long term strategy
>would be to ensure that the ranges for each site setup based on
>different subnets.
>
>
>
I suggest a strategy based on dividing networks to subnets from
different classes and aggregate routes. For example, use a 10.0.0.0
class for ipsec networks, and 172.16.0.0 for 'normal' traffic.
Then, if you create networks 10.40.0.0/16, 10.48.0.0/16, 10.56.0.0/16,
you can aggregate them to 10.32.0.0/11, and use it to create a single
conn in the ipsec.conf (10.32.0.0 with the 255.224.0.0 mask covers the
three example networks).
network: | second byte: | mask:
10.40.0.0 | 001 01000 | 255.255.0.0 (16 bits)
10.48.0.0 | 001 10000 | 255.255.0.0 (16 bits)
10.56.0.0 | 001 11000 | 255.255.0.0 (16 bits)
aggregate:
10.32.0.0 | 001 00000 | 255.224.0.0 (11 bits)
And, for example, if you have 172.16.0.0/16, and 172.20.0.0/16 networks
for unencrypted traffic they will not interferre with the ipsec networks.
Tomasz Grzelak
>Gary
>
>-----Original Message-----
>From: Tomasz Grzelak [mailto:tgrzelak at wktpolska.com.pl]
>Sent: Sunday, April 10, 2005 10:55 PM
>To: Gary W. Smith; users at openswan.org
>Subject: Re: [Openswan Users] Odd route problem
>
>Gary W. Smith wrote:
>
>
>
>>Hello,
>>
>>
>>
>Hi!
>
>
>
>>I have a bunch of odd routes at one end of the tunnel that I would
>>like to access with an ipsec tunnel but I have been running into
>>
>>
>problems.
>
>
>>I have a couple different subnets on the server side 10.0.0.0/24,
>>10.0.8.0/24, 10.1.0.0/16 and 10.0.2.0/24. The network that I'm trying
>>to connect up is 10.0.12.0/24. I added 10.0.0.0/8 to the .conf file
>>and was able to establish the connection from the server and ping to
>>the remote network but once I do that all of my requests for the local
>>
>>
>
>
>
>>network are going through the tunnel. This seems to be an expected
>>side effect of the 10.0.0.0/8.
>>
>>Shouldn't ipsec see the 10.0.12.0/24 as a local network?
>>
>>
>>
>no, it shouldn't. A subnet 10.0.0.0/8 is something like an aggregate
>route for the networks above, and it covers all of your networks because
>
>of the 255.0.0.0 mask. Define different conns for your networks with the
>
>255.255.255.0 mask, leaving the 10.0.12.0/24 subnet.
>
>Tomasz Grzelak
>
>
>
>
More information about the Users
mailing list