[Openswan Users] Tunnel to 0.0.0.0/0 except some addresses

Markus mlist at dlite.de
Wed Nov 30 20:08:49 CET 2005 

Markus wrote:
> Paul Wouters <mailto:paul at xelerance.com> wrote:
>> On Sun, 27 Nov 2005, Markus wrote:
>>> I have setup a tunnel between localnet1+localnet2 to 0.0.0.0/0. That
>>> works nearly perfect, I can reach localnet3 and the Internet without
>>> problems from localnet1/2. But I cannot reach localnet2 from
>>> localnet1 as (I think) router1 sends everything from localnet1 to
>>> router2 (which is not acceptable as the connection between router1
>>> and router2 is very slow). I think that I need a tunnel which says
>>> "to 0.0.0.0/0 except localnet2" or a route on router1 which
>>> overwrites the ipsec-routes (eroute?). Is that right? How can I do this?
>> 
>> I assume you are using netkey, because with klips this should work fine.
>> For netkey, you need on router1:
>> 
>> conn pass-localnet1
>> 	left=ip-router1
>> 	right=ip-router3
>> 	leftsubnet=localnet1/mask
>> 	rightsubnet=localnet2/mask
>> 	type=passthrough
>> 	auto=route
>> 	authby=never
>> 
>> that should exlude packets from NETKEY between localnet1 and localnet2
> 
> Thanks for the quick answer! Yes, I am using the kernel native ipsec
> implementation. The conn described sounds good, but I didn't get any
> packets routed with it. I think I have to fill the example with real-live
> numbers to get it:   
> 
> localnet1 =
> 192.168.12.0/27  eth0 (192.168.12.30) -\                         /-----
> localnet3
>                       router1 eth1 (192.168.12.158) --- router2
> (192.168.12.145)
> 192.168.12.32/27 eth2 (192.168.12.62) -/                         \-----
> Internet
> 
> So I have the following connections (Removed the auth-params via cert from
> sr1-sr2):
> conn sr1-sr2
>         left=192.168.12.145
>         leftsubnet=0.0.0.0/0
>         right=192.168.12.158
>         rightsubnet=192.168.12.0/26
>         auto=start
> 
> conn pass-localnet1
>        left=192.168.12.158
>        right=192.168.12.145
>        leftsubnet=192.168.12.0/27
>        rightsubnet=192.168.12.32/27
>        type=passthrough
>        auto=route
>        authby=never
> 
> I have tried to make one connection for each localnet1/2 and an extra
> connection pass-localnet2, but all doesn't work. After starting ipsec I
> cannot ping any host in localnet1/2 from the gateway and after stopping
> the routes to the localnet1/2 are gone. I bet ist only a short way to the
> finish...    

Hi, anyone here who has a further hint for me?

-- 
Beste Grüße / best regards Markus Meissner

More information about the Users mailing list