[Openswan Users] Routing Question

Peter McGill petermcgill at goco.net
Mon Sep 11 10:06:25 EDT 2006 

> 1.  Which is better, default gw of the public IP, or the internal IP?
As far as I know Openswan needs it to be the public IP to work properly.
(Someone please correct me if I'm wrong.)

(Personnally, I do not like the idea of running all the traffic through one site:
#1 If you loose internet there, you loose it everywhere.
#2 Your bandwith/bill for that site will be much larger.
#3 It creates unneccessary traffic and loads for that site.)
However, assuming you still want to do this, I believe I have a solution
for you that is easier than defining a lot of static routes.

Let me just confirm that I understand your setup.
You have two sites, you've designated one Site1 (192.168.10.0/24),
the other I will designate Site0 (192.168.1.0/24).
At Site0 you are running Openswan on "openswan" (192.168.1.17, 12.91.90.76),
and a transparent proxy on "Private router" or simply "Router" (192.168.1.1, 12.191.90.67).
At Site1 you are are running an IPSec router, I'll assume Openswan again, though you didn't
specify. This is running on "Site1" (192.168.10.?, 12.178.243.42).

Here's how I think you can solve your problem.
Site1 default route to public interface.
Site1 ipsec.conf:
conn site1-net-to-site0-internet
    also=site1
    leftsubnet=192.168.10.0/24
    alsoflip=site0
    rightsubnet=0.0.0.0/0 # or %any
    auto=start

conn site1-router-to-site0-router # This conn is optional
    also=site1
    alsoflip=site0
    auto=start

Site0 "openswan" default route to public interface.
This way openswan will work properly.
Site0 "openswan" ipsec.conf:
conn site1-net-to-site0-internet
    also=site0
    leftsubnet=0.0.0.0/0 # or %any
    alsoflip=site1
    rightsubnet=192.168.10.0/24
    auto=start

conn site1-router-to-site0-router # This conn is optional
    also=site0
    alsoflip=site1
    auto=start

Add this to the end of both Site0 and Site1's ipsec.conf:
conn site0
    left=12.91.90.76
    leftnexthop=%defaultroute

conn site1
    left=12.178.243.42
    leftnexthop=%defaultroute

Site0 "openswan" specific route to public gateway:
ie) If Site0 "openswan" ISP gateway is 12.91.90.77 then,
route 12.91.90.77/32 to public interface.
We need this so that outbound traffic can find the gateway,
after we add a new "default route" to the proxy "Router".
Site0 "openswan" add two new routes, these will act as the
new "default route".
route 0.0.0.0/1 to "Router" 192.168.1.1
route 128.0.0.0/1 to "Router" 192.168.1.1
There may be a better way, but I believe this will work.

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited

More information about the Users mailing list