[Openswan Users] openswan routes

Peter McGill petermcgill at goco.net
Mon Apr 16 13:19:13 EDT 2007 

> -----Original Message-----
> Date: Sun, 15 Apr 2007 12:41:33 -0700 (PDT)
> From: dcyspm <dcyspm at yahoo.com>
> Subject: [Openswan Users] openswan routes
> To: users at openswan.org
> 
> I have a configuration where I need one tunnel on my
> internal network, and another over the internet.  Both
> tunnels work.  What I want to do now is to route
> packets from the source of the internal tunnel through
> the tunnel to my firewall and then through the second
> tunnel.  Packets will go through either tunnel, but
> they will not go through both.
> Tunnels:
> 
> 192.168.50.0/24 -- <internal corporate network > --
> <other internal corporate network> -- 192.168.40.0/24
> (works, packets from 192.168.50.x are encrypted and
> reach 192.168.40.x)
> 
> 192.168.40.0/24 -- <internet address my side> --
> <internent address remote side> -- 10.10.70.0/24
> (works packets from 192.168.40.x reach 10.10.70.x)
> 
> I am trying to get packets from 192.168.50.x to
> 10.10.70.x.
> 
> The corporate network also has a route to the
> internet, but I have not been able to authenticate
> through it, I suspect it blocks some types of packets
> that I need to establish the connection.
> 
> I am a linux admin; my networking ability is only
> fair.  Please let me know if the answer is obvious.

This is not difficult, the thing to remember is that you
Cannot use route or ip route to send traffic to the tunnels.
You must make a subnet for it in your ipsec.conf's.

For example, I imagine from your description you have conf's
Similar to this:

Gw50: the linux machine doing ipsec for 192.168.50.0/24
Gw40: the linux machine doing ipsec for 192.168.40.0/24
Gw70: the linux machine doing ipsec for 10.10.70.0/24

Gw50 ipsec.conf:
Conn net-50-to-net-40
	left=gw50
	leftsubnet=192.168.50.0/24
	right=gw40
	rightsubnet=192.168.40.0/24
	...

Gw40 ipsec.conf:
Conn net-50-to-net-40
	left=gw40
	leftsubnet=192.168.40.0/24
	right=gw50
	rightsubnet=192.168.50.0/24
	...

Conn net-70-to-net-40
	left=gw40
	leftsubnet=192.168.40.0/24
	right=gw70
	rightsubnet=10.10.70.0/24
	...

Gw70 ipsec.conf:
Conn net-70-to-net-40
	left=gw70
	leftsubnet=10.10.70.0/24
	right=gw40
	rightsubnet=192.168.40.0/24
	...

Now what you need to do is add the following:

Gw50 ipsec.conf:
Conn net-50-to-net-70
	left=gw50
	leftsubnet=192.168.50.0/24
	right=gw40
	rightsubnet=10.10.70.0/24
	...

Gw40 ipsec.conf:
Conn net-50-to-net-70
	left=gw40
	leftsubnet=10.10.70.0/24
	right=gw50
	rightsubnet=192.168.50.0/24
	...

Conn net-70-to-net-50
	left=gw40
	leftsubnet=192.168.50.0/24
	right=gw70
	rightsubnet=10.10.70.0/24
	...

Gw70 ipsec.conf:
Conn net-70-to-net-50
	left=gw70
	leftsubnet=10.10.70.0/24
	right=gw40
	rightsubnet=192.168.50.0/24
	...

That will do it.

Peter

More information about the Users mailing list