[Openswan Users] setting routes with klips
Christian Horn
chorn at fluxcoil.net
Mon Oct 2 10:56:31 EDT 2006
Hi all,
i am not able to use an established openswan/klips-tunnel
to read additional networks.
In ipsec.conf i set the basic route:
---------------------------------------------------
conn fw1
right=10.0.0.1
rightsubnet=192.168.0.0/24
rightcert=fwcert.cer
---------------------------------------------------
After establishing that tunnel i reach hosts from the
rightsubnet as expected. What is the correct way to add
192.168.1.0/24 to be routed/encrypted using this tunnel?
'ipsec eroute' shows after establishing the tunnel:
1 172.16.0.1/32 -> 192.168.0.0/24 => tun0x1002 at 10.0.0.1
>From my understanding i should now this sa again:
'ipsec eroute --add --eraf inet --src 172.16.0.1/32 \
--dst 192.168.1.0/24 --said tun0x1002 at 10.0.0.1'
and add a route:
'ip r a 192.168.1.0/24 dev ipsec0'.
Now pinging a host from 192.168.1.0/24 i can see eroute is triggered:
'ipsec eroute'
6 172.16.0.1/32 -> 192.168.1.0/24 => tun0x1002 at 10.0.0.1
...but the icmp-echo-reply doesnt make it back to the ping-command.
Sniffing the eth0-interface i see outgoing esp-packets to 10.0.0.1,
and also the reply-esp-packets.
Any suggestions?
Thanks for your time, Christian.
More information about the Users
mailing list