[Openswan Users] Tunnel setup limitation
Paul Wouters
paul at xelerance.com
Thu May 31 10:02:45 EDT 2007
On Thu, 31 May 2007, Alain RICHARD wrote:
> My problem is that if I try to establish the following tunnels :
>
> a) 192.168.50.0/24 - GW1 - GW2 - 192.168.1.0/24
> b) 192.168.60.0/24 - GW1 - GW3 - 192.168.1.0/24
So how would the ipsec server (wehther it be kernel or userland) know
whether these were two "different" 192.168.1.0/24's or whether they
would be the "same"?
> I get a problem because GW1 refuse to establish tunnel b when tunnel a is
> already up (and if reverse is true : it refuse to establish the tunnel b when
> tunnel a is already up).
Yes, because a subnet can only live on 1 place.
> In my case, I am using netkey and not klips. I don't know if this is a
> limitation of klips, but this is not a limitation of netkey as it is possible
> to set this up using setkey -P or ip xfrm policy.
Yes, you can define complete bogus policies manually with those tools.
> So it seams to be big limitation in pluto.
It's not a bug - it's a security feature.
> I have opened a bug# 800 on http://bugs.xelerance.com.
I think what you really want to do, is setup two different host-host
IPsec tunnels, and use something like GRE inside.
See: http://www.xelerance.com/talks/lk2003/
Paul
More information about the Users
mailing list