[Openswan Users] Tunnel to 0.0.0.0/0 except some addresses

Markus Meissner markus.meissner at meissner.IT
Mon Nov 28 12:35:31 CET 2005 

Paul Wouters <mailto:paul at xelerance.com> wrote:
> On Sun, 27 Nov 2005, Markus wrote:
>> I have setup a tunnel between localnet1+localnet2 to 0.0.0.0/0. That
>> works nearly perfect, I can reach localnet3 and the Internet without
>> problems from localnet1/2. But I cannot reach localnet2 from localnet1
>> as (I think) router1 sends everything from localnet1 to router2 (which
>> is not acceptable as the connection between router1 and router2 is very
>> slow). I think that I need a tunnel which says "to 0.0.0.0/0 except
>> localnet2" or a route on router1 which overwrites the ipsec-routes
>> (eroute?). Is that right? How can I do this?
> 
> I assume you are using netkey, because with klips this should work fine.
> For netkey, you need on router1:
> 
> conn pass-localnet1
> 	left=ip-router1
> 	right=ip-router3
> 	leftsubnet=localnet1/mask
> 	rightsubnet=localnet2/mask
> 	type=passthrough
> 	auto=route
> 	authby=never
> 
> that should exlude packets from NETKEY between localnet1 and localnet2

Thanks for the quick answer! Yes, I am using the kernel native ipsec
implementation. The conn described sounds good, but I didn't get any packets
routed with it. I think I have to fill the example with real-live numbers to
get it:

localnet1 = 
192.168.12.0/27  eth0 (192.168.12.30) -\                         /-----
localnet3
                      router1 eth1 (192.168.12.158) --- router2
(192.168.12.145)
192.168.12.32/27 eth2 (192.168.12.62) -/                         \-----
Internet

So I have the following connections (Removed the auth-params via cert from
sr1-sr2):
conn sr1-sr2
        left=192.168.12.145
        leftsubnet=0.0.0.0/0
        right=192.168.12.158
        rightsubnet=192.168.12.0/26
        auto=start

conn pass-localnet1
       left=192.168.12.158
       right=192.168.12.145
       leftsubnet=192.168.12.0/27
       rightsubnet=192.168.12.32/27
       type=passthrough
       auto=route
       authby=never

I have tried to make one connection for each localnet1/2 and an extra
connection pass-localnet2, but all doesn't work. After starting ipsec I
cannot ping any host in localnet1/2 from the gateway and after stopping the
routes to the localnet1/2 are gone. I bet ist only a short way to the
finish...

-- 
Beste Grüße / best regards Markus Meissner

More information about the Users mailing list