[Openswan Users] Is there a way to exclude subsets of a super net when defined as the right or left subnet?
Robyn Orosz
rorosz at gmail.com
Mon Dec 21 13:36:18 EST 2009
Hi Paul,
Thanks a ton for the response. I seemed to have gotten this to work but had
to add a leftnexthop value to the conn declaration. Should I need this or
am I doing something wrong?
Also, when I do this, it adds a route to my inside network via my outside
interface but for some reason, still seems to work. Is this normal or is
there another way to do this?
Also, what exactly does the passthrough tunnel do other than add a route?
host - 10.11.11.100 -----VPN eth1 10.11.11.1 - eth0 172.16.1.2 ----gw
172.16.1.1
I added the following pass-through:
# my local range is 10.11.11.0/24
conn pass-local
left=172.16.1.2
leftsubnet=10.11.11.0/24
leftnexthop=172.16.1.1 <-------------------I can't get it to start
w/o this
right=0.0.0.0
rightsubnet=10.11.11.0/24
authby=never
type=passthrough
auto=route
This adds a route for my private subnet via eth0 but the actual network is
reachable via eth1.
Thanks!
Robyn
On Sat, Dec 19, 2009 at 10:31 AM, Paul Wouters <paul at xelerance.com> wrote:
> On Fri, 18 Dec 2009, Robyn Orosz wrote:
>
> I need connect to a device that is attached to several remote networks
>> within the 10.0.0.0/8 range. Rather
>> than creating several tunnels I just summarized the remote subnet as
>> 10.0.0.0/8. The problem is that this
>> includes my own local subnet so when locally connected hosts attempt to
>> access the VPN device at 10.11.11.1,
>> they are unable to as it appears that this traffic gets redirected onto
>> the tunnel.
>>
>
> It's a problem with NETKEY only, not KLIPS. On NETKEY you need to add a
> "passthrough"
> for anything that is local:
>
> # my local range is 10.10.10.0/24
> conn pass-local
> left=yourip
> leftsubnet=10.0.0.0./24
> right=0.0.0.0
> rightsubnet=10.0.0.0/24
> authby=never
> type=passthrough
> auto=route
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091221/e989c03d/attachment.html
More information about the Users
mailing list