[Openswan Users] routing and ipsec eroute

Toby Heywood theywood at alaric.com
Thu Oct 11 09:22:03 EDT 2007


I have an OpenSwan box (on network B) with two established tunnels. One
to a remote office (network A) and one to a customers network (network
C). I need to be able to route the traffic from network A through to
network C and vice versa.

So far I have added a route on the Openswan box (OS1) to send traffic
towards the server OS2, which will then pass the traffic on to the
customers network by way of the established tunnel.

I can see ICMP traffic from WKSTN-A using tcpdump hitting the ipsec0
interface, but when looking at eth0 no ESP traffic is being generated.
I've looked at ipsec eroute, but not sure how best to configure this for
my needs, is this correct?

I tried

ipsec eroute --add --eraf inet --src \
--dst --af inet --edst \
--said %pass

and also tried a similar command where I replaced --said with --spi
0xnnnn --proto tun (nnnn represents the random spi number) but still
could not get the traffic to travel over the tunnel.

Am I doing something wrong? I've been googling an awful lot trying to
work out how best to do this, but either I'm not searching for the right
things or my poor little brain has had a meltdown trying to work out the
way the routing should take place.

I would be grateful for any help, advice or pointers anyone would like
to give.  OS, Openswan and subnet details below.


All openswans are the same spec and build.

Fedora Core 6
OpenSwan 2.4.8rc1 (KLIPS)


eth0	-	External Interface
ipsec0	-	IPSEC Interface
eth1	-	Internal Interface

------ - Network A (WKSTN-A)
	| - Network A (OS1)
	|| - Network B (OS2)
	||   - Network C (Sidewinder G2)
	|   - Network C (WKSTN-B)

Thank you in advance.


Alaric Systems Ltd. Registered in England No. 3314005 Registered Office:
108 Linton House, 164-180 Union Street, London SE1 0LH

This e-mail has been scanned for all known viruses by Star. The
service is powered by MessageLabs.

More information about the Users mailing list