[Openswan Users] Probelm with host reachability when ipsec tunnel is operational

[Greg McGuire]

Hello --

> If you are creating 'overlapping' networks, eg by having 10.0.0.0/8  
> on one
> end, and 10.0.x.0/24 on another end, then with KLIPS this worked  
> but with
> NETKEY you will need extra passthrough connections to make it work.

This is exactly the issue I am having, but cannot seem to make the  
passthrough connection work.  Could I ask to be pointed to an  
example, or more information about this (or a link to TFM)?

My network topology is like this:

10.0.0.0/8   <------> 10.x.0.0/16
10.254.0.1               10.x.0.1
core gateway          remote gateway(s) running NAT

All systems are running openswan 2.2 on Debian (Sarge) with kernel  
2.6.8.  The "core" gateway is working fine, and can route to all of  
the "remote" gateways perfectly using openswan.  However, when I  
bring up openswan on the remote gateway it swallows all of  
10.0.0.0/8, and does not exclude the class 16 as (I believe) it  
should.  This means that the remote gateway cannot talk to any  
machine on its own subnet; those packets appear on the external  
interface instead.  As there are no routes doing this, I assume  
openswan is grabbing them.

My remote gateway's ipsec.conf:

conn to_core
     type=tunnel
     left=MY_EXTERNAL_IP
     leftsubnet=10.3.0.0/16
     leftnexthop=%defaultroute
     right=CORE_EXTERNAL_IP
     rightsubnet=10.0.0.0/8
     rightnexthop=%defaultroute
     spibase=0x200
     esp=3des-md5-96
     keyexchange=ike
     pfs=yes
     auth=esp
     auto=start
     authby=secret
     ikelifetime=8h
     keylife=8h

My remote gateway's routing table:

remote:/# ip route show
MY_EXTERNAL_IP/22 dev eth0  proto kernel  scope link  src MY_EXTERNAL_IP
10.3.0.0/16 dev eth1  proto kernel  scope link  src 10.3.0.1
10.0.0.0/8 via MY_NEXT_HOP dev eth0
default via MY_NEXT_HOP dev eth0

Thanks,
Greg