[Openswan Users] routes in openswan and kernel 2.6
Peter McGill
petermcgill at goco.net
Thu Jun 21 12:15:05 EDT 2007
> -----Original Message-----
> Date: Thu, 21 Jun 2007 11:22:47 -0300
> From: "Ethy H. Brito" <ethy.brito at inexo.com.br>
> Subject: [Openswan Users] routes in openswan and kernel 2.6
> To: users at openswan.org
>
> I have a working setup with kernel 2.6 (slackware 11) and
> openswan-2.4.8.
>
> It is composed by 4 machines:
>
> A- leftsubnet machine: 192.168.10.8/24
> B- left machine: 192.168.10.254 and a valid internet IP A.B.C.D
>
> C- right machine: 10.25.215.8 and a valid internet IP X.Y.T.Z
> D- rightsubnet machine: 10.25.215.254/24
>
> Behind 10.25.215.254 there is another net (172.16.0.0/16) that
> 192.168.10.8 *must* reach with IP 10.25.215.8. I, then, added
> a iptables
> NAT rule that does the trick.
>
> So, I can ping D (10.25.215.254) from A (192.168.10.8) (NATed to
> 10.25.215.8) but can't ping 172.16.x.x due to the lack of a route at B
> that send those packets thru the ipsec tunnel.
>
> I tried adding this route via 'ip route" but obviously it did
> not worked.
>
> How can I add this missing route to the net behind D ??
>
> Ethy
You cannot use ip route or route to add routes through the tunnels, you
Must add subnets, like so...
conn subnet1
also=shared
leftsubnet=192.168.10.0/24
rightsubnet=10.24.215.0/24
auto=start
conn subnet2
also=shared
leftsubnet=192.168.10.0/24
righsubnet=172.16.0.0/16
auto=start
conn shared
left=A.B.C.D
right=X.Y.T.Z
etc...
All the other conn settings, except for left/rightsubnet and auto=start go in the shared conn.
Note the shared conn is not a real conn it does not connect, it just used by the other 2 conns.
Shared conn must come after the others in the file.
If that is unclear, I can be more specific if you show us your conn definition.
Peter
More information about the Users
mailing list