[Openswan Users] RE: openswan, klips -- routing issues
David Green
david.green at jwh.com.au
Tue Aug 1 07:32:16 EDT 2006
Sorry, the diagram didn't come out properly.
Here it is again (hopefully)
(LEFT) (RIGHT)
10.1.8.0/255.255.248.0 10.2.30.0/255.255.255.0
\ /
\ /
eth0 (10.1.8.1) ipsec0 ~~~~~~~~~~~~~~~~~~ ipsec0 eth1 (10.2.30.1)
\ / \ /
Gateway Regional
(xxx.yyy.67.9)/ \(xxx.yyy.67.2) (vvv.www.222.42)/
eth2 (DMZ) eth1---------\ /---------ppp0
/ (Internet)
/
xxx.yyy.67.8/29
--
David Green
-----Original Message-----
From: David Green [mailto:david.green at jwh.com.au]
Sent: Tuesday, 1 August 2006 11:48 AM
To: users at openswan.org
Subject: openswan, klips -- routing issues
Hi all,
Sorry if this problem has all ready been posted about.
Our current setup looks like this:
(LEFT) (RIGHT)
10.1.8.0/255.255.248.0 10.2.30.0/255.255.255.0
\ /
\ /
eth0 (10.1.8.1) ipsec0 ~~~~~~~~~~~~~~~~~~ ipsec0 eth1 (10.2.30.1)
\ / \ /
Gateway Regional
(xxx.yyy.67.9)/ \(xxx.yyy.67.2) (vvv.www.222.42)/
eth2 (DMZ) eth1---------\ /---------ppp0
/ (Internet)
/
xxx.yyy.67.8/29
Basically I want to route all traffic from the Regional Gateway (right) to the DMZ on the left through the ipsec0 interface (to allow for services that are firewalled off from Internet traffic.
ipsec.conf on the Gateway looks like this:
conn home-away
type=tunnel
left=xxx.yyy.67.2
leftnexthop=xxx.yyy.67.1
leftsubnet=10.0.0.0/255.0.0.0
leftsourceip=10.1.8.1
right=vvv.www.222.42
rightnexthop=vvv.www.14.16
rightsubnet=10.2.30.0/255.255.255.0
rightsourceip=10.2.30.1
keyexchange=ike
auth=esp
authby=secret
esp=3des-sha1-96
pfs=yes
compress=yes
auto=start
ipsec.conf on Regional looks like this:
conn home-away
type=tunnel
left=vvv.www.222.42
leftnexthop=vvv.www.14.16
leftsubnet=10.2.30.0/255.255.255.0
leftsourceip=10.2.30.1
right=xxx.yyy.67.2
rightnexthop=xxx.yyy.67.1
rightsubnet=10.0.0.0/255.0.0.0
rightsourceip=10.1.8.1
keyexchange=ike
auth=esp
authby=secret
esp=3des-sha1-96
pfs=yes
compress=yes
auto=start
The routing table on Regional looks like this:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
vvv.www.14.16 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
vvv.www.14.16 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0
10.2.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.0.0.0 vvv.www.14.16 255.0.0.0 UG 0 0 0 ipsec0
0.0.0.0 vvv.www.14.16 0.0.0.0 UG 0 0 0 ppp0
If I manually add a route thusly:
ip route add xxx.yyy.67.8/29 dev ipsec0 src 10.2.30.1; OR
ip route add xxx.yyy.67.8/29 via vvv.www.14.16 dev ipsec0 src 10.2.30.1
Then I can see the traffic going out on the ipsec0 interface on Regional but not coming in on ipsec0 on Gateway.
I get the feeling that I've got a fundamental misunderstanding of the way this is all put together. Any help what-so-ever will be greatly appreciated.
Kind regards
--
David Green
More information about the Users
mailing list