[Openswan Users] RE: openswan, klips -- routing issues

David Green david.green at jwh.com.au
Tue Aug 1 07:32:16 EDT 2006


Sorry, the diagram didn't come out properly.

Here it is again (hopefully)


                     (LEFT)                                   (RIGHT)
 
  10.1.8.0/255.255.248.0                                            10.2.30.0/255.255.255.0
             \                                                                 /
              \                                                               /
     eth0 (10.1.8.1)         ipsec0 ~~~~~~~~~~~~~~~~~~ ipsec0          eth1 (10.2.30.1)
                    \       /                                \        /
                     Gateway                                  Regional
      (xxx.yyy.67.9)/       \(xxx.yyy.67.2)  (vvv.www.222.42)/
          eth2 (DMZ)         eth1---------\    /---------ppp0
              /                         (Internet)
             /
     xxx.yyy.67.8/29

--
David Green


-----Original Message-----
From: David Green [mailto:david.green at jwh.com.au] 
Sent: Tuesday, 1 August 2006 11:48 AM
To: users at openswan.org
Subject: openswan, klips -- routing issues

Hi all,
 
Sorry if this problem has all ready been posted about.
 
Our current setup looks like this:
 
                     (LEFT)                                   (RIGHT)
 
  10.1.8.0/255.255.248.0                                            10.2.30.0/255.255.255.0
             \                                                                 /
              \                                                               /
     eth0 (10.1.8.1)         ipsec0 ~~~~~~~~~~~~~~~~~~ ipsec0          eth1 (10.2.30.1)
                      \       /                                \        /
                     Gateway                                  Regional
      (xxx.yyy.67.9)/       \(xxx.yyy.67.2)  (vvv.www.222.42)/
          eth2 (DMZ)         eth1---------\    /---------ppp0
              /                         (Internet)
             /
     xxx.yyy.67.8/29
 
 
Basically I want to route all traffic from the Regional Gateway (right) to the DMZ on the left through the ipsec0 interface (to allow for services that are firewalled off from Internet traffic.
 
ipsec.conf on the Gateway looks like this:
 
conn home-away
        type=tunnel
        left=xxx.yyy.67.2
        leftnexthop=xxx.yyy.67.1
        leftsubnet=10.0.0.0/255.0.0.0
        leftsourceip=10.1.8.1
        right=vvv.www.222.42
        rightnexthop=vvv.www.14.16
        rightsubnet=10.2.30.0/255.255.255.0
        rightsourceip=10.2.30.1
        keyexchange=ike
        auth=esp
        authby=secret
        esp=3des-sha1-96
        pfs=yes
        compress=yes
        auto=start
 
ipsec.conf on Regional looks like this:
 
conn home-away
        type=tunnel
        left=vvv.www.222.42
        leftnexthop=vvv.www.14.16
        leftsubnet=10.2.30.0/255.255.255.0
        leftsourceip=10.2.30.1
        right=xxx.yyy.67.2
        rightnexthop=xxx.yyy.67.1
        rightsubnet=10.0.0.0/255.0.0.0
        rightsourceip=10.1.8.1
        keyexchange=ike
        auth=esp
        authby=secret
        esp=3des-sha1-96
        pfs=yes
        compress=yes
        auto=start
 
The routing table on Regional looks like this:
 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
vvv.www.14.16   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
vvv.www.14.16   0.0.0.0         255.255.255.255 UH    0      0        0 ipsec0
10.2.30.0       0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.0.0.0        vvv.www.14.16   255.0.0.0       UG    0      0        0 ipsec0
0.0.0.0         vvv.www.14.16   0.0.0.0         UG    0      0        0 ppp0
 
If I manually add a route thusly:
 
ip route add xxx.yyy.67.8/29 dev ipsec0 src 10.2.30.1;  OR
ip route add xxx.yyy.67.8/29 via vvv.www.14.16 dev ipsec0 src 10.2.30.1
 
Then I can see the traffic going out on the ipsec0 interface on Regional but not coming in on ipsec0 on Gateway.
 
I get the feeling that I've got a fundamental misunderstanding of the way this is all put together. Any help what-so-ever will be greatly appreciated.
 
Kind regards
--
David Green
 



More information about the Users mailing list