[Openswan Users] Routing issues with NETKEY - SOLVED

Nels Lindquist nlindq at maei.ca
Wed Jul 4 18:47:57 EDT 2007

Replying to my own post for the archives, in case anyone else wants to
do something similar.

Nels Lindquist wrote:

> I've got a tunnel set up between two networks using NETKEY, and I'm
> trying to route some additional static routes across the tunnel.
> Here's what it looks like:
>            Router AA
>                |
> [Network A]--------[Gateway A]========[Gateway B]------[Network B]
> I need machines on Network B to be able to reach around 30 different
> netblocks for which Router AA is the gateway.
> For this to work, I need Gateway A to SNAT packets coming from Network B
> (as they now do with Network A) so that they appear to be coming from
> Is this feasible?  What kind of approach should I be looking at?

Okay, here's what I did.

Revised map:

               WAN                      X WAN X
                |                          X
            Router AA                  Router BB
                |                          X
[Network A]--------[Gateway A]========[Gateway B]------[Network B]         |                  |

Normally, Network B can access the WAN via router BB.  But Network B has
just been moved to a new physical location, and it'll be six weeks
before the WAN can be connected.

I created a VPN between and

I then created a GRE tunnel between and

For Gateway A:
modprobe ip_gre
ip tunnel add tun0 mode gre remote local ttl 255
ip link set tun0 up
ip link set tun0 mtu 1410
ip addr add peer dev tun0 (not sure if this is
strictly necessary due to remote/local definition above)
ip route del

The "ip route del" prevents packets from being routed over the IPSEC
tunnel directly, and makes sure they go through the GRE tunnel.

The equivalent setup is done on Gateway B, with the addition of a host
route for router AA.  I wasn't sure of the ip syntax, so I used:

route add -host dev tun0

After that I was able to add all my static routes on Gateway B like so:

ip route add via
ip route add via

I had to mess around with iptables a bit to allow appropriate traffic
through, and set up SNAT from Network B (router AA will only allow
packets from the 10.0.130 network).

Nels Lindquist

More information about the Users mailing list