[Openswan Users] routing and ipsec eroute

Toby Heywood theywood at alaric.com
Thu Oct 11 20:11:56 EDT 2007

Hi Paul,

Thank you for your reply. As per your email I set up an additional
connection on each openswan box, and after spotting a few typos, I now
have traffic routing just as I wanted.

Thank you for your help, keep up the good work.



Paul Wouters wrote:
> On Thu, 11 Oct 2007, Toby Heywood wrote:
>> I have an OpenSwan box (on network B) with two established tunnels. One
>> to a remote office (network A) and one to a customers network (network
>> C). I need to be able to route the traffic from network A through to
>> network C and vice versa.
>> So far I have added a route on the Openswan box (OS1) to send traffic
>> towards the server OS2, which will then pass the traffic on to the
>> customers network by way of the established tunnel.
> Uhm, no. IPsec is not a "virtual ethernet". The tunnel has strict
> policies. Anything you "route add" into it, will get dropped, unless
> you add a tunnel definition for that specific source-destination
> combination.
>> I can see ICMP traffic from WKSTN-A using tcpdump hitting the ipsec0
>> interface, but when looking at eth0 no ESP traffic is being generated.
> That is the correct (secure) behaviour.
>> I've looked at ipsec eroute, but not sure how best to configure this for
>> my needs, is this correct?
>> I tried
>> ipsec eroute --add --eraf inet --src \
>> --dst --af inet --edst \
>> --said %pass
> pass eroutes won't help. Even if you screw enough to inject policies that
> will make the packets actually get encrypted and go, the OTHER end will
> reject the packet based on ITS security policies.
> Just add connections with the proper src/dst defined.
> Paul

Alaric Systems Ltd. Registered in England No. 3314005 Registered Office:
108 Linton House, 164-180 Union Street, London SE1 0LH

This e-mail has been scanned for all known viruses by Star. The
service is powered by MessageLabs.

More information about the Users mailing list