[Openswan Users] Routing to/from a vpn

Paul Wouters paul at xelerance.com
Fri Jun 12 21:50:41 EDT 2009

On Fri, 12 Jun 2009, Jason Brooks wrote:

> I am trying to setup a vpn between three sites and a main site.  The

> I have run into some confusion reading through ipsec and openswan
> documentation.  It appears that openswan on a linux gateway uses
> something akin to packet filter rules: "x ip address range may talk to
> Y ip address range" as an example.  Does the gateway also have a

It's actually "IPsec Security Associations". Those are IPsec Policy
rules that determine what can go through the tunnel.

> corresponding routing table entry that will route packets to the vpn?
> Once the vpn is established, can I have the endpoints exchange routing
> data with something like RIP?

You can only send packets through the tunnel that fall within the the
IPsec policy. These policies are usually host-host or subnet-subnet.
If you want to do any kind of "dynamic routes", then you need to
encapsulate packets, for instance using a host-host IPsec tunnel
with IPIP or GRE.


More information about the Users mailing list