[Openswan Users] Routing between tunnels

[Paul Wouters]

On Wed, 10 Aug 2005, Alaa Dalghan wrote:

> I have 2 windows XP clients (laptops) and one OpenS/WAN 2.3.1 gateway. I have 
> created a tunnel (roadwarrior connection) from each client to the gateway and 
> everything works fine.
>
>
> client A (WindowsXP)---------------Gateway G (OpenS/WAN)--------------- 
> client B(WindowsXP)
>
> Now i want to exchange data between the two clients without having to build a 
> dedicated tunnel between them; that is, i want the data intended  from A to B 
> to travel encrypted via the following path:
>
>      A-------------------------->S---------------------------->B
>                ESP packets                    ESP packets
>
> and i want the gateway to perform the necessary routing of ESP envelopes. The 
> problem is that this is not a classical routing problem since the gateway has 
> to "route between tunnel interfaces".
>
> Can anyone please help me?

You can do this by tunneling an IP address onto the laptops and using that
as the default outgoing IP address. So on the client, you would need to
equivalent of:

 	left=%defaultroute
 	leftsubnet=a.b.c.d/32
 	right=YourGw
 	rightsubnet=0.0.0.0/0

then convince your machine to use a.b.c.d as the default IP. For Linux this
can be done with the 'ip' command (something like 'ip route add 0.0.0.0 src a.b.c.d')

For Windows, it is probably easier to setup IPsec using L2TP. Then L2TP 
assigns an IP address and it will be used per default, therefor encrypting it
all.

Be aware that the extruded/L2TP's IP address should not be in the same network
range as the regular DHCP'd IP address.

Paul
-- 

"With Data mining, we can search specifically for clues"

--- The AIVD (The Dutch NSA) on the necessity of ISP's data retension