[Openswan Users] Tunnel to 0.0.0.0/0 except some addresses
Paul Wouters
paul at xelerance.com
Sun Nov 27 20:50:39 CET 2005
On Sun, 27 Nov 2005, Markus wrote:
> localnet1 -----\ /----- localnet3
> router1 ---(untrusted)--- router2
> localnet2 -----/ \----- Internet
>
> I have setup a tunnel between localnet1+localnet2 to 0.0.0.0/0. That works
> nearly perfect, I can reach localnet3 and the Internet without problems from
> localnet1/2. But I cannot reach localnet2 from localnet1 as (I think)
> router1 sends everything from localnet1 to router2 (which is not acceptable
> as the connection between router1 and router2 is very slow). I think that I
> need a tunnel which says "to 0.0.0.0/0 except localnet2" or a route on
> router1 which overwrites the ipsec-routes (eroute?). Is that right? How can
> I do this?
I assume you are using netkey, because with klips this should work fine.
For netkey, you need on router1:
conn pass-localnet1
left=ip-router1
right=ip-router3
leftsubnet=localnet1/mask
rightsubnet=localnet2/mask
type=passthrough
auto=route
authby=never
that should exlude packets from NETKEY between localnet1 and localnet2
Paul
More information about the Users
mailing list