[Openswan Users] Routing

Brian Candler B.Candler at pobox.com
Sun May 21 11:37:44 CEST 2006


On Fri, May 19, 2006 at 12:25:27PM -0400, Darek M wrote:
> I have successfully configured a tunnel to a Cisco 3000 concentrator and 
> have hit a roadblock with routing.
> 
> The tunnel is set up for a client machine that has a public IP address 
> from a /25 network.  The IP of my OpenSWAN gateway is from a separate 
> /30 network.
> 
> The client is attempting to have traffic routed to a specific host on 
> the other site od the tunnel via my gateway, all other traffic going out 
> through the default gateway.
> 
> Client IP: 4.4.4.33
> Default gateway: 4.4.4.1
> OpenSWAN: 5.5.5.242
> Remote host: 6.6.7.7

Hmm, so if I draw this out I get:

                   ---+-------------------+----
                      |                   |
                      R                   .
                      |4.4.4.1            .
 --+------------------+                   R
   |4.4.4.33                              |5.5.5.241
client                     ---+-----------+--
                              |5.5.5.242 . . . . . . . . . . . . 6.6.6.6
                           openswan           =IPSEC=          |vpn3000
                                                               |
                                                            6.6.7.7
                                                             host

> I tried to set a route in on the client Windows machine with "route add 
> 6.6.6.6 mask 255.255.255.255 5.5.5.242" but Windows said:
> 
> "The route addition failed: Either the interface index is wrong or the 
> gateway does not lie on the same network as the interface. Check the IP 
> Address Table for the machine."

Absolutely. You can only set a next-hop which is on the same network as
yourself.

> What is the proper way to set up the routing table to allow traffic?

There is no simple way to force client 4.4.4.33 to send traffic to 6.6.6.7
going via 5.5.5.242 in the diagram above. Your options are:

(1) Set up a tunnel between client 4.4.4.33 and 5.5.5.242 (e.g. an IP-IP
tunnel, a GRE tunnel, or an IPSEC tunnel). You then configure the client
to send all traffic to 6.6.7.7 down that tunnel.

In that case, it would probably be easier just to set up a direct tunnel
from the client to the VPN3000

(2) Use policy routing on *all* routers on your network between 4.4.4.33
and 5.5.5.242, saying "if you see a packet with a source IP of 4.4.4.33 and
a destination of 6.6.7.7, then send it to the next router towards 5.5.5.242".
Plus the reverse policies for return traffic.

This is an utter nightmare: trust me, you do *not* want to do this. Option
(1) might sound horrible but it's far less horrible than this.

There is an IP 'source-route' option but because it is a huge security hole
in most networks, almost nobody implements it.

> The SWAN gateway is on a separate /30 network.  Would moving it within 
> the customer's /25 network make routing easier?  For example, giving 
> SWAN 4.4.4.34

Yes, that will work. Then the Windows box can have a route to 6.6.7.7 via
4.4.4.34

Brian.


More information about the Users mailing list