[Openswan Users] Tunnel headends
Andy Gay
andy at andynet.net
Fri Mar 23 19:14:49 EDT 2007
On Sat, 2007-03-24 at 00:11 +0200, Andrei-Florian Staicu wrote:
> Andy Gay wrote:
> > On Fri, 2007-03-23 at 17:40 +0200, Andrei-Florian Staicu wrote:
> >
> >> Andy Gay wrote:
> >>
> >>> On Fri, 2007-03-23 at 15:13 +0200, Andrei-Florian Staicu wrote:
> >>>
> >>>
> >>>> 192.168.3.0/24===<extipA>[@srvA]...<extipB>[@srvB]===192.168.4.0/24
> >>>>
> >>>>
> >>> Yes, use <left/right>sourceip.
> >>>
> >>> Assuming your conns are written with left/right as you show above,
> >>> use leftsourceip=192.168.3.1 on srvA, rightsourceip=192.168.4.1 on srvB.
> >>>
> >>> E.g. if the conn on srvA has leftsubnet=192.168.3.1/24, then add
> >>> leftsourceip=192.168.3.1. Similarly on srvB, if it has
> >>> rightsubnet=192.168.4.0/24, then add rightsourceip=192.168.4.1
> >>>
> >> what happens if behind srvB i have another subnet, let's say
> >> 10.0.0.0/24, with 10.0.0.1 on srvB and i want to access it from location
> >> A? Can i route it through the tunnel? Or what steps should i take?
> >>
> >
> > Add another tunnel. Most parameters will be the same as your existing
> > conn, just change rightsubnet=192.168.4.0/24 to rightsubnet=10.0.0.0/24.
> >
> I don't get it. Shouldn't
> ip route add 10.0.0.0/24 src 192.168.3.1 via 192.168.4.1
> on srvA work, since now i cand reach srvB from srvA?
No. That's a common misconception. You need to remember that IPsec
tunnels have a policy associated with them, that's what you're
configuring in your left/rightsubnet entries. No packets will be allowed
into the tunnel unless their source and destination addresses are both
inside those networks.
It's easy to add additional tunnels though.
> --
> Andrei-Florian STAICU
> Network administrator
> Tel: (+40) 741.227.014
> IPSO S.A.
>
>
>
More information about the Users
mailing list