[Openswan Users] Should be a simple routing question

Greg Scott GregScott at InfraSupportEtc.com
Thu Aug 24 12:55:42 EDT 2006 

Thanks guys.  Been buried the past two days.  I will try this when I get
back later this afternoon or tonight and report the results.  Does that
passthru conn do the same thing as the ip xfrm policy stuff?  Is there
any documentation anywhere on how to use ip xfrm policy?  

Thanks

- Greg Scott
 

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: Tuesday, August 22, 2006 1:48 PM
To: Andy Gay
Cc: users at openswan.org; Greg Scott
Subject: Re: [Openswan Users] Should be a simple routing question

On Tue, 22 Aug 2006, Andy Gay wrote:

> > Left 10.15.1.0/24 <------> Right 10.0.0.0/8.
> >      Site B                      Site A
> >
> > The tunnel works great - both sides see each ohter just fine, thanks

> > to lots of help from people in this list.
> >
> > Here's the issue.  When I traceroute from the siteB router at 
> > 10.15.1.1 to anything else in SiteB, it tries to route via SiteA!  
> > Very strange indeed!
> >
> > Well, it kind of makes sense because my tunnel definition evidently 
> > told it to behave this way.  I was wondering if there is a way to 
> > make the local route happen before the tunnel route?
>
> I don't think this is a routing issue, it's to do with IPsec policy.
> Your policy says anything with source address 10.15.1.0/24 and 
> destination 10.0.0.0/8 should be sent through the tunnel.
>
> Try doing this on the siteB router:
>
> ip xfrm policy add dir in src 10.15.1.0/24 dst 10.15.1.0/24 ip xfrm 
> policy add dir out src 10.15.1.0/24 dst 10.15.1.0/24
>
> That will add some more specific policies for local traffic.
>
> I believe there's a way to do that using a passthrough conn as well, 
> I'm not certain about the syntax for that.

try:

conn pass-localstuff
        left=10.15.1.1
        right=0.0.0.0
        rightsubnet=10.15.1.0/24
        auto=route
        authby=never
        type=passthrough

Paul
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list