[Openswan Users] Routing issues with NETKEY

[Peter McGill]

> -----Original Message-----
> Date: Thu, 28 Jun 2007 12:32:21 -0600
> From: Nels Lindquist <nlindq at maei.ca>
> Subject: [Openswan Users] Routing issues with NETKEY
> To: users at openswan.org
> 
> Hi there.
> 
> I've got a tunnel set up between two networks using NETKEY, and I'm
> trying to route some additional static routes across the tunnel.
> 
> Here's what it looks like:
> 
>            Router AA
>           10.0.130.65
>                |
> [Network A]--------[Gateway A]========[Gateway B]------[Network B]
> 192.168.60.0/24                                       192.168.50.0/24
> 
> I need machines on Network B to be able to reach around 30 different
> netblocks for which Router AA is the gateway.
> 
> For this to work, I need Gateway A to SNAT packets coming 
> from Network B
> (as they now do with Network A) so that they appear to be coming from
> 10.0.130.66.
> 
> Is this feasible?  What kind of approach should I be looking at?
> 
> Thanks!
> 
> Nels Lindquist

When routing through openswan subnets, remember that you cannot add routes
Via ip route, etc... The only traffic that will pass through a tunnel
Is traffic that matches the tunnel's subnet definition. I doubt that
SNAT will work to make the routing decision to use the tunnel because
it happens in the postrouting chain.

To use an example from my own network.

highway7 network connects to delenn on stmarys network via direct dial modem.
delenn on stmarys network connects to sheridan on london network via openswan/internet.
For all three sites to talk here is the relavent conn definitions.

sheridan ipsec.conf:
conn stmarys-office-net-to-london-office-net
        also=london-office
        leftsubnet=172.21.3.0/24
        alsoflip=stmarys-office
        rightsubnet=172.21.1.0/24
        auto=start

conn highway7-office-net-to-london-office-net
        also=london-office
        leftsubnet=172.21.3.0/24
        alsoflip=stmarys-office
        rightsubnet=172.21.5.0/24
        auto=start

conn london-office
        left=66.x.x.x
        leftnexthop=%defaultroute
        leftid=@sheridan.london.goco.net
        leftrsasigkey=...

conn stmarys-office
        left=69.x.x.x
        leftnexthop=%defaultroute
        leftid=@delenn.stmarys.goco.net
        leftrsasigkey=...

delenn ipsec.conf:
conn stmarys-office-net-to-london-office-net
        also=stmarys-office
        leftsubnet=172.21.1.0/24
        alsoflip=london-office
        rightsubnet=172.21.3.0/24
        auto=start

conn highway7-office-net-to-london-office-net
        also=stmarys-office
        leftsubnet=172.21.5.0/24
        alsoflip=london-office
        rightsubnet=172.21.3.0/24
        auto=start

conn london-office
        left=66.x.x.x
        leftnexthop=%defaultroute
        leftid=@sheridan.london.goco.net
        leftrsasigkey=...

conn stmarys-office
        left=69.x.x.x
        leftnexthop=%defaultroute
        leftid=@delenn.stmarys.goco.net
        leftrsasigkey=...

Peter