[Openswan Users] Is there a way to exclude subsets of a super net when defined as the right or left subnet?

Robyn Orosz rorosz at gmail.com
Mon Dec 21 13:36:18 EST 2009

Hi Paul,

Thanks a ton for the response.  I seemed to have gotten this to work but had
to add a leftnexthop value to the conn declaration.  Should I need this or
am I doing something wrong?

Also, when I do this, it adds a route to my inside network via my outside
interface but for some reason, still seems to work.  Is this normal or is
there another way to do this?

Also, what exactly does the passthrough tunnel do other than add a route?

host - -----VPN eth1 - eth0 ----gw

I added the following pass-through:

# my local range is
conn pass-local
       leftnexthop= <-------------------I can't get it to start
w/o this

This adds a route for my private subnet via eth0 but the actual network is
reachable via eth1.



On Sat, Dec 19, 2009 at 10:31 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Fri, 18 Dec 2009, Robyn Orosz wrote:
>  I need connect to a device that is attached to several remote networks
>> within the range.  Rather
>> than creating several tunnels I just summarized the remote subnet as
>>  The problem is that this
>> includes my own local subnet so when locally connected hosts attempt to
>> access the VPN device at,
>> they are unable to as it appears that this traffic gets redirected onto
>> the tunnel.
> It's a problem with NETKEY only, not KLIPS. On NETKEY you need to add a
> "passthrough"
> for anything that is local:
> # my local range is
> conn pass-local
>        left=yourip
>        leftsubnet=
>        right=
>        rightsubnet=
>        authby=never
>        type=passthrough
>        auto=route
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091221/e989c03d/attachment.html 

More information about the Users mailing list