[Openswan Users] openswan, klips -- routing issues

David Green david.green at jwh.com.au
Tue Aug 1 06:47:39 EDT 2006 

Generator Microsoft Word 10 (filtered) Hi all,

Sorry if this problem has all ready been posted about.

Our current setup looks like this:

 (LEFT) (RIGHT)

.1.8.0/255.255.248.0 10.2.30.0/255.255.255.0
\ /
\ /
eth0 (10.1.8.1) ipsec0 ~~~~~~~~~~~~~~~~~~ ipsec0 eth1 (10.2.30.1)
\ / \ /
Gateway Regional
(xxx.yyy.67.9)/ \(xxx.yyy.67.2) (vvv.www.222.42)/
eth2 (DMZ) eth1---------\ /---------ppp0
/ (Internet)
/
xxx.yyy.67.8/29


Basically I want to route all traffic from the Regional Gateway (right) to the DMZ on the left through the ipsec0 interface (to allow for services that are firewalled off from Internet traffic.

ipsec.conf on the Gateway looks like this:

conn home-away
type=tunnel
left=xxx.yyy.67.2
leftnexthop=xxx.yyy.67.1
leftsubnet=10.0.0.0/255.0.0.0
leftsourceip=10.1.8.1
right=vvv.www.222.42
rightnexthop=vvv.www.14.16
rightsubnet=10.2.30.0/255.255.255.0
rightsourceip=10.2.30.1
keyexchange=ike
auth=esp
authby=secret
esp=3des-sha1-96
pfs=yes
compress=yes
auto=start

ipsec.conf on Regional looks like this:

conn home-away
type=tunnel
left=vvv.www.222.42
leftnexthop=vvv.www.14.16
leftsubnet=10.2.30.0/255.255.255.0
leftsourceip=10.2.30.1
right=xxx.yyy.67.2
rightnexthop=xxx.yyy.67.1
rightsubnet=10.0.0.0/255.0.0.0
rightsourceip=10.1.8.1
keyexchange=ike
auth=esp
authby=secret
esp=3des-sha1-96
pfs=yes
compress=yes
auto=start

The routing table on Regional looks like this:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
vvv.www.14.16 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
vvv.www.14.16 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0
10.2.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.0.0.0 vvv.www.14.16 255.0.0.0 UG 0 0 0 ipsec0
0.0.0.0 vvv.www.14.16 0.0.0.0 UG 0 0 0 ppp0

If I manually add a route thusly:

ip route add xxx.yyy.67.8/29 dev ipsec0 src 10.2.30.1; OR
ip route add xxx.yyy.67.8/29 via vvv.www.14.16 dev ipsec0 src 10.2.30.1

Then I can see the traffic going out on the ipsec0 interface on Regional but not coming in on ipsec0 on Gateway.

I get the feeling that I've got a fundamental misunderstanding of the way this is all put together. Any help what-so-ever will be greatly appreciated.

Kind regards
-- David Green
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060801/614bee41/attachment-0001.htm

More information about the Users mailing list