[Openswan Users] road-warrior gateway

Randy B randy at pillowfactory.org
Thu Jun 9 23:24:46 CEST 2005


> ipsec.conf
> ========
> conn mycon
>         left=200.105.a.b
>         leftnexthop=%defaultroute
>         leftsubnet=200.105.a.b/32            #(same as my public IP)
>         right=151.193.130.z
>         rightnexthop=%defaultroute
>         rightsubnet=151.193.141.0/24
>         pfs=no
>         auto=start
> 

This doesn't really look like a roadwarrior setup at all; you've
strictly defined the IP on both sides.  Typically a roadwarrior setup
(from the gateway) looks like a strict left IP and a very open/no right
IP.  What this really smells like to me is a net-to-net tunnel that
you're wanting to do.  I'm assuming the right (the concentrator, your
destination) doesn't know anything about your network on your side.  In
that case, nothing on the Cisco side can initiate a connection to
something inside your network, but as long as you do S-NAT on your Linux
box, the stuff in your network *should* be able to connect to stuff on
the Cisco side.

Simplify your case - say you've a private home network that connects to
your ISP via a gateway NAT box.  Anything that wants to get out sends
it's traffic to the gateway, which does a S-NAT mangle on it and sends
it to it's default route, which happens to be the gateway the ISP has
provided out of their network; return traffic traverses your NAT tables
and gets back to the initiating client, but no 'new' connections can get
in.  The only basic difference between that and what it seems you're
trying to do is that you're going to add a route to your NAT box to
route all traffic to the network behind the PIX through another gateway
that just happens to be through an encrypted tunnel.  Being that you
seem to be using AF_KEY, adding a simple route should do the trick - the
 kernel will do the rest.

	route add 151.193.141.0/24 gw 151.193.130.z

The above *should* work, assuming you're not doing anything funky and
are doing simple, standard NAT.

Any of you IPsec/networking gurus out there feel free to step in and
smack some sense into me!

RB


More information about the Users mailing list