[Openswan Users] Routing

Darek M darek at nyi.net
Sun May 21 17:30:14 CEST 2006

Brian Candler wrote:
> On Fri, May 19, 2006 at 12:25:27PM -0400, Darek M wrote:
>> I have successfully configured a tunnel to a Cisco 3000 concentrator and 
>> have hit a roadblock with routing.
>> The tunnel is set up for a client machine that has a public IP address 
>> from a /25 network.  The IP of my OpenSWAN gateway is from a separate 
>> /30 network.
>> The client is attempting to have traffic routed to a specific host on 
>> the other site od the tunnel via my gateway, all other traffic going out 
>> through the default gateway.
>> Client IP:
>> Default gateway:
>> OpenSWAN:
>> Remote host:
> Hmm, so if I draw this out I get:
>                    ---+-------------------+----
>                       |                   |
>                       R                   .
>                       |            .
>  --+------------------+                   R
>    |                              |
> client                     ---+-----------+--
>                               | . . . . . . . . . . . .
>                            openswan           =IPSEC=          |vpn3000
>                                                                |
>                                                              host
>> I tried to set a route in on the client Windows machine with "route add 
>> mask" but Windows said:
>> "The route addition failed: Either the interface index is wrong or the 
>> gateway does not lie on the same network as the interface. Check the IP 
>> Address Table for the machine."
> Absolutely. You can only set a next-hop which is on the same network as
> yourself.
>> What is the proper way to set up the routing table to allow traffic?
> There is no simple way to force client to send traffic to
> going via in the diagram above. Your options are:
> (1) Set up a tunnel between client and (e.g. an IP-IP
> tunnel, a GRE tunnel, or an IPSEC tunnel). You then configure the client
> to send all traffic to down that tunnel.
> In that case, it would probably be easier just to set up a direct tunnel
> from the client to the VPN3000
> (2) Use policy routing on *all* routers on your network between
> and, saying "if you see a packet with a source IP of and
> a destination of, then send it to the next router towards".
> Plus the reverse policies for return traffic.

I gave this option a go, and you're right, from the get-go it was clear 
it was going to be a nightmare and pretty much unworkable.

> This is an utter nightmare: trust me, you do *not* want to do this. Option
> (1) might sound horrible but it's far less horrible than this.
> There is an IP 'source-route' option but because it is a huge security hole
> in most networks, almost nobody implements it.
>> The SWAN gateway is on a separate /30 network.  Would moving it within 
>> the customer's /25 network make routing easier?  For example, giving 
> Yes, that will work. Then the Windows box can have a route to via

That is what I ended up doing.  Worked nicely and made subsequent 
troubleshooting that much easier.  Troubleshooting a single firewall is 
a lot easier than forward and return routes on various pieces of cisco 

> Brian.

I was confused in the beginning because I thought the router and the 
left subnet that it has behind it should not be on the same network; 
that such a config would break it somehow.  Thanks for the help.

- Darek

More information about the Users mailing list