[Openswan Users] ipsec tunnel interface and routes

Paul Wouters paul at xelerance.com
Fri Jun 5 10:32:13 EDT 2009

On Fri, 5 Jun 2009, Maverick wrote:

> It seems IPSEC is a bit different from normal networking, so no interface
> right?

If you use the default ipsec stack, NETKEY, then you don't have
seperate interfaces. If you use KLIPS, then you do have seperate
ipsecX interfaces.

> I've read that to set a route I have to use setkey utility right?

Neither stack should require you to do anything manually with setkey.
In fact setkey and racoon should be removed when openswan is used.

> I've made a tunnel between two networks A and B, on my end (A) I have
> openswan and on the other (B) end is a cisco firewall.
> I've tested the access and everything seems to be ok.
> But there is a network C that must be accessed through a machine (B.254) on
> network B that is making NAT to that network C.
> My first question is, where is the ipsec tunnel interface? I run ifconfig
> and only get my eth0 and lo.
> When I make a traceroute to a machine on network B it goes directly.
> So how I can i add route to network C saying that the gateway is B.254 ?

You cannot "add routes". You have to "add tunnels". So you need to copy
the "conn xxx" you have in ipsec.conf, rename it, and change the
rightsubnet=B to rightsubnet=C. The cisco should know where to do send
the traffic from A to C to, if that is bia B.254.

Remember traceroute is a bad tool to use with tunnels.


More information about the Users mailing list