[Openswan Users] routing vpn traffic

Michael Tinsay tinsami1 at yahoo.com
Tue Jan 3 06:53:59 CET 2006 

--- Paul Wouters <paul at xelerance.com> wrote:

> On Mon, 2 Jan 2006, Michael Tinsay wrote:
> 
> > It's my first time to setup openswan using a 2.6
> linux
> > kernel (netkey).  I understand that there is no
> more
> > ipsec0 interface.  My question is: How do I route
> vpn
> > traffic properly?  In a 2.4 kernel, lan (eth0) to
> > internet (eth1) is nat'ed/masqueraded and lan to
> vpn
> > (ipsec0) is routed.  How do I achieve the same
> thing
> > in a 2.6 kernel when all I can see are eth0 and
> eth1?
> > How do I distinguish between a normal Internet
> traffic
> > (for NAT'ing) and IPsec traffice (for routing
> through
> > a tunnel)?
> 
> The easiest way is by source and destination. For
> instance if you have
> two subnets (10.0.1.0/24 and 10.0.2.0/24) that are
> connected by IPsec,
> with both IPsec gateways NAT'ing packets, you can
> do:
> 
> iptables -t nat -I POSTROUTING -o ethX -s
> 10.1.2.0/24 -d \!10.0.2.0/24 -j DNAT [....]
> 
> if you have multiple networks, you will need to use
> various rules with -j ACCEPT
> 
> iptables -t nat -I POSTROUTING -o ethX -s
> 10.1.2.0/24 -d 10.0.2.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o ethX -s
> 10.1.2.0/24 -d 10.0.3.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o ethX -s
> 10.1.2.0/24 -d 10.0.4.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o ethX -s
> 10.1.2.0/24 -j DNAT [....]
> 
> Paul
> 

Thanks Paul,

A follow up question, if you don't mind: Say I'm using
eth0 for my Internet and IPsec.  How do I set the
default route to use the IPsec tunnel?

Actually, what I really need is to force traffic to a
particular public subnet to go through the IPsec
tunnel.  Here's my situation:

Subnet A:
lan subnet = 10.10.10.0/24
public ip  = a.b.c.d

Subnet B:
DSL modem = w.x.y.1/29
firewall/router/vpn = w.x.y.2/29
server1 = w.x.y.3/29
server2 = w.x.y.4/29
server3 = w.x.y.5/29

The firewall only opens port 80 to the public.  All
other services must be through an IPsec tunnel.  Can
this be done?

Thanks in advance.


--- mike t.

More information about the Users mailing list