[Openswan Users] Help required - routing ipsec (native Kernel 2.6) on a multi-homed host?

[Paul Wouters]

On Thu, 8 Nov 2007, Alex Ip wrote:

> 	Can anyone suggest a nicer way for me to put all ipsec traffic on
> one interface using the native 2.6 kernel ipsec stack while leaving
> everything else (preferably including the unencrypted node-node traffic) on
> the other? It looks like I can force ipsec to use a particular interface if
> I use Klips, but I am trying to avoid having to install and maintain Klips
> if I can help it. Note that ipsec works just fine so long as the routing is
> set up correctly beforehand. I hope I've explained the problem clearly
> enough - thanks in anticipation.

You an can create passthrough connections, something like (untested):

conn passthrough1
	left=yourip
	leftsubnet=yoursubnet/mask
	right=0.0.0.0
	rigtsubnet=0.0.0.0/0
	# email
	rightprotoport=6/25
	authby=never
	auto=route

It will be a bit trick for random high ports (as %any will cause other
problems), so you will have to try and play around with these for a bit.
(Or just use a right=ip.of.mail.server instead)

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155