[Openswan Users] Tunnel setup limitation

Paul Wouters paul at xelerance.com
Thu May 31 10:02:45 EDT 2007


On Thu, 31 May 2007, Alain RICHARD wrote:

> My problem is that if I try to establish the following tunnels :
>
> a) 192.168.50.0/24 - GW1 - GW2 - 192.168.1.0/24
> b) 192.168.60.0/24 - GW1 - GW3 - 192.168.1.0/24

So how would the ipsec server (wehther it be kernel or userland) know
whether these were two "different" 192.168.1.0/24's or whether they
would be the "same"?

> I get a problem because GW1 refuse to establish tunnel b when tunnel a is
> already up (and if reverse is true : it refuse to establish the tunnel b when
> tunnel a is already up).

Yes, because a subnet can only live on 1 place.

> In my case, I am using netkey and not klips. I don't know if this is a
> limitation of klips, but this is not a limitation of netkey as it is possible
> to set this up using setkey -P or ip xfrm policy.

Yes, you can define complete bogus policies manually with those tools.

> So it seams to be big limitation in pluto.

It's not a bug - it's a security feature.

> I have opened a bug# 800 on http://bugs.xelerance.com.

I think what you really want to do, is setup two different host-host
IPsec tunnels, and use something like GRE inside.
See: http://www.xelerance.com/talks/lk2003/

Paul


More information about the Users mailing list