[Openswan Users] routing and ipsec eroute
Peter McGill
petermcgill at goco.net
Thu Oct 11 09:45:11 EDT 2007
You can't add routes to send traffic through a tunnel.
You must add left/rightsubnet parameters with the subnets you want to route.
Show me your ipsec.conf and I can be more specific.
Example (if this were your conf...):
conn a
left=... # openswan internet ip
leftsubnet=10.0.1.0/24 # local net
rightsubnet=10.0.2.0/24 # remote office
right=... # remote office internet ip
...
conn b
left=... # openswan internet ip
leftsubnet=10.0.1.0/24 # local net
rightsubnet=10.0.3.0/24 # customer net
right=... # customer internet ip
...
Then add these connections...
conn a2
left=... # openswan internet ip
leftsubnet=10.0.3.0/24 # customer net
rightsubnet=10.0.2.0/24 # remote office
right=... # remote office internet ip
...
conn b2
left=... # openswan internet ip
leftsubnet=10.0.2.0/24 # remote office
righsubnet=10.0.3.0/24 # customer net
right=... # customer internet ip
...
Also be sure to add routes for remote office net to customer vpn host at customer net,
And for customer net to remote office vpn host at remote office net, if the vpn machines
At each site are not also the default gateways.
Peter McGill
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of Toby Heywood
> Sent: October 11, 2007 9:22 AM
> To: users at openswan.org
> Subject: [Openswan Users] routing and ipsec eroute
>
> Hi,
>
> I have an OpenSwan box (on network B) with two established
> tunnels. One
> to a remote office (network A) and one to a customers network (network
> C). I need to be able to route the traffic from network A through to
> network C and vice versa.
>
> So far I have added a route on the Openswan box (OS1) to send traffic
> towards the server OS2, which will then pass the traffic on to the
> customers network by way of the established tunnel.
>
> I can see ICMP traffic from WKSTN-A using tcpdump hitting the ipsec0
> interface, but when looking at eth0 no ESP traffic is being generated.
> I've looked at ipsec eroute, but not sure how best to
> configure this for
> my needs, is this correct?
>
> I tried
>
> ipsec eroute --add --eraf inet --src 192.168.60.0/24 \
> --dst 172.16.1.0/24 --af inet --edst 192.168.50.5 \
> --said %pass
>
> and also tried a similar command where I replaced --said with --spi
> 0xnnnn --proto tun (nnnn represents the random spi number) but still
> could not get the traffic to travel over the tunnel.
>
> Am I doing something wrong? I've been googling an awful lot trying to
> work out how best to do this, but either I'm not searching
> for the right
> things or my poor little brain has had a meltdown trying to
> work out the
> way the routing should take place.
>
> I would be grateful for any help, advice or pointers anyone would like
> to give. OS, Openswan and subnet details below.
>
> ------
>
> All openswans are the same spec and build.
>
> Fedora Core 6
> OpenSwan 2.4.8rc1 (KLIPS)
>
> ------
>
> eth0 - External Interface
> ipsec0 - IPSEC Interface
> eth1 - Internal Interface
>
> ------
>
> 192.168.60.2 - Network A (WKSTN-A)
> |
> |
> 192.168.60.5 - Network A (OS1)
> ||
> ||
> 192.168.50.5 - Network B (OS2)
> ||
> ||
> 172.16.1.1 - Network C (Sidewinder G2)
> |
> |
> 172.16.1.2 - Network C (WKSTN-B)
>
>
> Thank you in advance.
>
> TH
>
> ______________________________________________________________
> __________
> Alaric Systems Ltd. Registered in England No. 3314005
> Registered Office:
> 108 Linton House, 164-180 Union Street, London SE1 0LH
>
> ______________________________________________________________
> __________
> This e-mail has been scanned for all known viruses by Star. The
> service is powered by MessageLabs.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
More information about the Users
mailing list