[Openswan Users] route to a second subnet behind the gate?
Paul Wouters
paul at xelerance.com
Tue Aug 23 23:14:18 CEST 2005
On Tue, 23 Aug 2005, Walter Wickersham wrote:
> You mean something like
> (presuming the remote net is 10.1.0.0/24 and the one you want to route through it is 10.1.10.0/24)
>
> something like this _should_ work
> ip route add 10.1.10.0/24 via 10.1.0.1
No. Without the proper IPsec policies in the kernel, those packets should and
will be dropped.
If you have:
conn foo
left=a.b.c.d
right=e.f.g.h
rightsubnet=10.1.0.0/24
And you want to add another subnet behind right, you add a new conn:
conn foo2
left=a.b.c.d
right=e.f.g.h
rightsubnet=10.1.10.0/24
Since left and right are the same for foo and foo2, openswan we re-use
the phase1 of foo for foo2, and just add another phase2 for the other subnet.
> I'm pretty sure you can specify a left/right updown script in your openswan config to run this for you when you connect (although I'd do it by hand first, to make sure it has the desired effect)
If you'd try that, all your packets will be dropped, because there is no
kernel IPsec policy for the second subnet.
Paul
More information about the Users
mailing list