[Openswan Users] routing issues and configuration questions

Chris.McGinley at sungard.com Chris.McGinley at sungard.com
Fri Apr 27 13:23:02 EDT 2007 

I suspect that these questions may have been asked before, but I had a 
hard time finding a conclusive answer when searching online.

I have a routing problem that is occurring when I start ipsec that I need 
help with. If I start ipsec and get a successful connection to the right 
gateway, all is happy and routing works fine. However, if the right 
gateway is not available (for various reasons), local routing seems to be 
amiss. The routing table looks correct, but traffic gets stuck as if it 
only wants to go through the tunnel.

And, my question. I've designed my sites to all be part of the 
172.16.0.0/12 private IP range, breaking this into several /24 ranges per 
site. I want to setup the tunnel to have full access to the 4, 5, 6, etc. 
/24 subnets sitting at the other site. I tried to simply add additional 
connections in the config, but that seemed to break routing also. Your 
help is appreciated.

Here is a copy of my configuration with public info cleaned. loc1 has a 
public IP address on its interface, while loc2 has a private IP and is 
statically NATed through a firewall. Please let me know if I've neglected 
to provide enough info. BTW, these are both Gentoo systems with 2.6.17 (or 
better) kernels.

---- ipsec.conf ----
version 2.0

config setup
        interfaces="ipsec0=wan"
        klipsdebug=none
        plutodebug=none
        plutostderrlog=/var/log/ipsec/pluto.log
        # nat_traversal=yes

conn %default
        keyingtries=1
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

include /etc/ipsec/loc1-loc2.conf

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

---- loc1-loc2.conf ----
conn loc1-loc2-net
        also=ipsec-cfg
        also=loc1
        leftsubnet=172.16.3.0/24
        alsoflip=loc2
        rightsubnet=172.16.13.0/24
        auto=start

conn loc1-loc2-gate
        also=ipsec-cfg
        also=loc1
        alsoflip=loc2
        auto=start

conn ipsec-cfg
        keyexchange=ike
        ike=3des-sha-modp2048
        esp=3des-md5-96
        pfs=no

conn loc1
        left=x.x.x.x
        leftnexthop=x.x.x.y
        leftid="C=US, ST=..."
        leftcert=/etc/ipsec/ipsec.d/certs/loc1.pem
        leftsourceip=172.16.3.1

conn loc2
        left=y.y.y.y
        leftnexthop=172.16.13.1
        leftid="C=US..."
        leftcert=/etc/ipsec/ipsec.d/certs/loc2.pem
        leftsourceip=172.16.13.10

Thanks.
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070427/d8852436/attachment.html

More information about the Users mailing list