[Openswan Users] routing and ipsec eroute

Paul Wouters paul at xelerance.com
Thu Oct 11 09:35:00 EDT 2007


On Thu, 11 Oct 2007, Toby Heywood wrote:

> I have an OpenSwan box (on network B) with two established tunnels. One
> to a remote office (network A) and one to a customers network (network
> C). I need to be able to route the traffic from network A through to
> network C and vice versa.
>
> So far I have added a route on the Openswan box (OS1) to send traffic
> towards the server OS2, which will then pass the traffic on to the
> customers network by way of the established tunnel.

Uhm, no. IPsec is not a "virtual ethernet". The tunnel has strict
policies. Anything you "route add" into it, will get dropped, unless
you add a tunnel definition for that specific source-destination
combination.

> I can see ICMP traffic from WKSTN-A using tcpdump hitting the ipsec0
> interface, but when looking at eth0 no ESP traffic is being generated.

That is the correct (secure) behaviour.

> I've looked at ipsec eroute, but not sure how best to configure this for
> my needs, is this correct?
>
> I tried
>
> ipsec eroute --add --eraf inet --src 192.168.60.0/24 \
> --dst 172.16.1.0/24 --af inet --edst 192.168.50.5 \
> --said %pass

pass eroutes won't help. Even if you screw enough to inject policies that
will make the packets actually get encrypted and go, the OTHER end will
reject the packet based on ITS security policies.

Just add connections with the proper src/dst defined.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list