[Openswan Users] routing and ipsec eroute
Toby Heywood
theywood at alaric.com
Thu Oct 11 20:11:56 EDT 2007
Hi Paul,
Thank you for your reply. As per your email I set up an additional
connection on each openswan box, and after spotting a few typos, I now
have traffic routing just as I wanted.
Thank you for your help, keep up the good work.
Regards
Toby
Paul Wouters wrote:
> On Thu, 11 Oct 2007, Toby Heywood wrote:
>
>> I have an OpenSwan box (on network B) with two established tunnels. One
>> to a remote office (network A) and one to a customers network (network
>> C). I need to be able to route the traffic from network A through to
>> network C and vice versa.
>>
>> So far I have added a route on the Openswan box (OS1) to send traffic
>> towards the server OS2, which will then pass the traffic on to the
>> customers network by way of the established tunnel.
>
> Uhm, no. IPsec is not a "virtual ethernet". The tunnel has strict
> policies. Anything you "route add" into it, will get dropped, unless
> you add a tunnel definition for that specific source-destination
> combination.
>
>> I can see ICMP traffic from WKSTN-A using tcpdump hitting the ipsec0
>> interface, but when looking at eth0 no ESP traffic is being generated.
>
> That is the correct (secure) behaviour.
>
>> I've looked at ipsec eroute, but not sure how best to configure this for
>> my needs, is this correct?
>>
>> I tried
>>
>> ipsec eroute --add --eraf inet --src 192.168.60.0/24 \
>> --dst 172.16.1.0/24 --af inet --edst 192.168.50.5 \
>> --said %pass
>
> pass eroutes won't help. Even if you screw enough to inject policies that
> will make the packets actually get encrypted and go, the OTHER end will
> reject the packet based on ITS security policies.
>
> Just add connections with the proper src/dst defined.
>
> Paul
________________________________________________________________________
Alaric Systems Ltd. Registered in England No. 3314005 Registered Office:
108 Linton House, 164-180 Union Street, London SE1 0LH
________________________________________________________________________
This e-mail has been scanned for all known viruses by Star. The
service is powered by MessageLabs.
More information about the Users
mailing list