[Openswan Users] Routing lan-pcs to internet over IPsec-Tunnel (Kernel 2.6.15.1)

franknos at gmx.de franknos at gmx.de
Thu Feb 9 20:56:06 CET 2006 

Hi,

I have a problem with routing two lans (192.168.0.0 and 192.168.3.0) to the
internet over IPsec. My system: gentoo, Kernel 2.6.15.1 and openswan 2.4.4.
On my router the two lans are attached as ath0 (IP 192.168.0.1) and eth1 (IP
192.168.3.1). Over wlan0 I have an wirless connection which gets an IP over
dhcp in the 10.2.50.0 or 10.2.10.0 subnet. Over wlan0 I establish an
IPsec-connection with openswan 2.4.4. ipsec.conf:

-- snip --
 version 2.0

config setup
    interfaces=%defaultroute
    klipsdebug=all
    plutodebug=none

conn myconnection
    keyingtries=1
    authby=rsasig
    esp=aes128-sha1
    right=10.1.0.2
    rightsubnet=0.0.0.0/0
    left=%defaultroute
    leftrsasigkey=%cert
    auto=start
    rightrsasigkey=%cert
    leftcert=cert.pem
    leftid=xyz at xyz.xyz
    rightid=root at ipsec.wlan.xyz
    compress=yes
    keylife=4h
-- snip ---

The connection to the internet works locally on the router perfect. route -n
says (eth1 disconnected at moment for better testing):

Ziel            Router          Genmask         Flags Metric Ref    Use
Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 ath0
10.2.10.0       0.0.0.0         255.255.255.0   U     0      0        0
wlan0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         10.2.10.254     128.0.0.0       UG    0      0        0
wlan0
128.0.0.0       10.2.10.254     128.0.0.0       UG    0      0        0
wlan0
0.0.0.0         10.2.10.254     0.0.0.0         UG    0      0        0
wlan0

And now the problem: I want that the pcs connected at the subnets
192.168.0.0 and 192.168.3.0 are able to access the internet via NAT. Normal
masquerading doesn't work. I remember with an 2.4 kernel I had an seperate
ipsec0 device, but with 2.6 it's gone. I had no success for getting KLIPS to
workt with my 2.6.15.1 Kernel. So it seems I have to stick with the native
2.6 IPsec. But I'm lost in configuring the nat. I don't unterstand the two
default routes etc. Would be great if someone may help me and explain how it
will work.

Thanks in advance and greetings
Frank

-- 
10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse für Mail, Message, More +++

More information about the Users mailing list