[Openswan Users] Tunnel headends

Paul Wouters paul at xelerance.com
Sun Mar 25 14:54:34 EDT 2007


On Sun, 25 Mar 2007, Benny Amorsen wrote:

> >>>>> "PW" == Paul Wouters <paul at xelerance.com> writes:
>
> PW> So where does 1.2.3.4 live? This side or that side? And once the
> PW> packet got across, where does it go? back through the tunnel?
>
> Depends on which routing you set up. Just like it does with a GRE
> tunnel.

I am not so sure about that. On the originating end, you are controlling
things by adding/not adding routes, but on the receiving end, the packet
is within KLIPS (since it just got received and decrypted) and then
where does the packet go from there? KLIPS will likely want to put it
back in the tunnel, since it has a matching IPsec SA for the packet.

> PW> Having those routes would cause you to have to set manual routes
> PW> on every node. You would run the risk of endlessly looping
> PW> packets, and you will find it impossible to run a firewall with
> PW> all packets popping up everywhere.
>
> It will not be particularly different from a GRE tunnel.

True.

> PW> You can do 10.a.b.0/24 === 0.0.0.0/0. In fact, that is exactly how
> PW> I am connected at home (my home network goes entirely through
> PW> IPsec)
>
> Yes, that certainly works. It's just a bit inconvenient to not be able
> to reach the client's outside address through the internet, except
> when the tunnel is down.

193.110.157.30 is the ipsec gateway of my home /28 tunneled over IPsec. You
can ping it fine from anywhere in the world and the LAN.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list