[Openswan Users] Routing Question

[Jeremy Mann]

This is a bit OT, but I'm hoping someone here can give me some insight

I have my openswan machine setup to essentially allow secure access to 
our internal WAN.  The machine has both a public IP(on eth1) and private 
IP(on eth0).

I have no problem routing clients between subnets that terminate on the 
openswan box, my problem lies in routing clients outside of the openswan 
box(via eth0).

When I set my default gateway to the public IP on ETH1 openswan works 
perfectly(even for incoming dynamic IP clients), however routing is a 
chore as I have to define static routes to all of my internal subnets.

When I set my default gateway to the IP on ETH0, forwarding to another 
router, internal routing works perfectly, but all of my inbound IPSEC 
tunnels from dynamic clients fail(timeout).

My question(s) are:

1.  Which is better, default gw of the public IP, or the internal IP?
2.  Could policy routing help?

I'm essentially trying to route all traffic from all offices through one 
router, it runs the transparent proxy.

Let me give the ol ASCII art example:

Site1 (192.168.10.0/24)<----->Public IP at 
Site1(12.178.243.42)<------>Public IP on 
openswan(12.91.90.76)<------>Private IP on 
openswan(192.168.1.17/24)<---->Private 
Router(192.168.1.1/24)<----->Public IP on 
router(12.191.90.67)<----->Internet

Essentially any packet from Site1, designated for the internet at large, 
should pass through all of the hosts above.
If the packet happens to be directed at an internal LAN client, the 
"Private Router" machine will route it appropriately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060908/add39963/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jmann.vcf
Type: text/x-vcard
Size: 352 bytes
Desc: jmann.vcf
Url : http://lists.openswan.org/pipermail/users/attachments/20060908/add39963/attachment.vcf