[Openswan Users] Routing issues with NETKEY - SOLVED

Nels Lindquist nlindq at maei.ca
Wed Jul 4 18:47:57 EDT 2007


Replying to my own post for the archives, in case anyone else wants to
do something similar.

Nels Lindquist wrote:

> I've got a tunnel set up between two networks using NETKEY, and I'm
> trying to route some additional static routes across the tunnel.
> 
> Here's what it looks like:
> 
>            Router AA
>           10.0.130.65
>                |
> [Network A]--------[Gateway A]========[Gateway B]------[Network B]
> 192.168.60.0/24                                       192.168.50.0/24
> 
> I need machines on Network B to be able to reach around 30 different
> netblocks for which Router AA is the gateway.
> 
> For this to work, I need Gateway A to SNAT packets coming from Network B
> (as they now do with Network A) so that they appear to be coming from
> 10.0.130.66.
> 
> Is this feasible?  What kind of approach should I be looking at?

Okay, here's what I did.

Revised map:

               WAN                      X WAN X
                |                          X
            Router AA                  Router BB
           10.0.130.65                10.0.130.129
                |                          X
[Network A]--------[Gateway A]========[Gateway B]------[Network B]
192.168.60.0/24         |                  |          192.168.50.0/24
                   192.168.60.1       192.168.50.1
                   10.0.130.66        10.0.130.130

Normally, Network B can access the WAN via router BB.  But Network B has
just been moved to a new physical location, and it'll be six weeks
before the WAN can be connected.

I created a VPN between 10.0.130.64/28 and 10.0.130.128/28.

I then created a GRE tunnel between 10.0.130.66 and 10.0.130.130:

For Gateway A:
modprobe ip_gre
ip tunnel add tun0 mode gre remote 10.0.130.130 local 10.0.130.66 ttl 255
ip link set tun0 up
ip link set tun0 mtu 1410
ip addr add 10.0.130.66 peer 10.0.130.130 dev tun0 (not sure if this is
strictly necessary due to remote/local definition above)
ip route del 10.0.130.128/28

The "ip route del" prevents packets from being routed over the IPSEC
tunnel directly, and makes sure they go through the GRE tunnel.

The equivalent setup is done on Gateway B, with the addition of a host
route for router AA.  I wasn't sure of the ip syntax, so I used:

route add -host 10.0.130.65 dev tun0

After that I was able to add all my static routes on Gateway B like so:

ip route add 10.1.123.0/24 via 10.0.130.65
ip route add 10.12.34.0/24 via 10.0.130.65

I had to mess around with iptables a bit to allow appropriate traffic
through, and set up SNAT from Network B (router AA will only allow
packets from the 10.0.130 network).

Nels Lindquist


More information about the Users mailing list