[Openswan Users] Routing
Darek M
darek at nyi.net
Sun May 21 17:30:14 CEST 2006
Brian Candler wrote:
> On Fri, May 19, 2006 at 12:25:27PM -0400, Darek M wrote:
>
>> I have successfully configured a tunnel to a Cisco 3000 concentrator and
>> have hit a roadblock with routing.
>>
>> The tunnel is set up for a client machine that has a public IP address
>> from a /25 network. The IP of my OpenSWAN gateway is from a separate
>> /30 network.
>>
>> The client is attempting to have traffic routed to a specific host on
>> the other site od the tunnel via my gateway, all other traffic going out
>> through the default gateway.
>>
>> Client IP: 4.4.4.33
>> Default gateway: 4.4.4.1
>> OpenSWAN: 5.5.5.242
>> Remote host: 6.6.7.7
>>
>
> Hmm, so if I draw this out I get:
>
> ---+-------------------+----
> | |
> R .
> |4.4.4.1 .
> --+------------------+ R
> |4.4.4.33 |5.5.5.241
> client ---+-----------+--
> |5.5.5.242 . . . . . . . . . . . . 6.6.6.6
> openswan =IPSEC= |vpn3000
> |
> 6.6.7.7
> host
>
>
>> I tried to set a route in on the client Windows machine with "route add
>> 6.6.6.6 mask 255.255.255.255 5.5.5.242" but Windows said:
>>
>> "The route addition failed: Either the interface index is wrong or the
>> gateway does not lie on the same network as the interface. Check the IP
>> Address Table for the machine."
>>
>
> Absolutely. You can only set a next-hop which is on the same network as
> yourself.
>
>
>> What is the proper way to set up the routing table to allow traffic?
>>
>
> There is no simple way to force client 4.4.4.33 to send traffic to 6.6.6.7
> going via 5.5.5.242 in the diagram above. Your options are:
>
> (1) Set up a tunnel between client 4.4.4.33 and 5.5.5.242 (e.g. an IP-IP
> tunnel, a GRE tunnel, or an IPSEC tunnel). You then configure the client
> to send all traffic to 6.6.7.7 down that tunnel.
>
> In that case, it would probably be easier just to set up a direct tunnel
> from the client to the VPN3000
>
> (2) Use policy routing on *all* routers on your network between 4.4.4.33
> and 5.5.5.242, saying "if you see a packet with a source IP of 4.4.4.33 and
> a destination of 6.6.7.7, then send it to the next router towards 5.5.5.242".
> Plus the reverse policies for return traffic.
>
I gave this option a go, and you're right, from the get-go it was clear
it was going to be a nightmare and pretty much unworkable.
> This is an utter nightmare: trust me, you do *not* want to do this. Option
> (1) might sound horrible but it's far less horrible than this.
>
> There is an IP 'source-route' option but because it is a huge security hole
> in most networks, almost nobody implements it.
>
>
>> The SWAN gateway is on a separate /30 network. Would moving it within
>> the customer's /25 network make routing easier? For example, giving
>> SWAN 4.4.4.34
>>
>
> Yes, that will work. Then the Windows box can have a route to 6.6.7.7 via
> 4.4.4.34
>
That is what I ended up doing. Worked nicely and made subsequent
troubleshooting that much easier. Troubleshooting a single firewall is
a lot easier than forward and return routes on various pieces of cisco
equipment.
> Brian.
>
I was confused in the beginning because I thought the router and the
left subnet that it has behind it should not be on the same network;
that such a config would break it somehow. Thanks for the help.
- Darek
More information about the Users
mailing list