[Openswan Users] Multi-net access to a service behind vpn
Paul Wouters
paul at xelerance.com
Tue Apr 20 08:04:22 EDT 2010
> Date: Mon, 19 Apr 2010 13:44:18 +0300 (EEST)
> I think i have difficulties configuring the strongswan/openswan link as i
> want it and specifically routing the packets to go over that link. It
> would be easy if ipsec tunnels did appear as virtual devices or at least
> appeared in the kernel routing table.
Note an ipsec tunnel is not a virtual ethernet device. you cannot just "route"
into it, since the tunnel has policies for source/dest packets.
> this is my connection definition:
> conn commport1
> type=tunnel
> # Key exchange
> ike=aes256-sha1-modp1536
> # Data exchange
> esp=aes256-sha1
> authby=secret
> auto=start
> #auth=esp
> keyingtries=2
> #keyexchange=ike
> # Modeconfig setting
> #modecfgpull=yes
> pfs=no
> rekey=yes
> #salifetime=16h
> dpddelay=120
> dpdtimeout=140
> dpdaction=restart
> left=strong.ip # Local vitals
> leftsubnet=192.168.2.2/32 #
> leftid=%any
You cannot use %any for an ID. Either leave out to default to the IP address
or set it to something sane.
> leftnexthop=%defaultroute # correct in many situations
> leftsourceip=192.168.2.2
> right=sec.ip # Remote vitals
> rightsubnet=192.168.2.1/32 #
> rightid=%any #
Same here
> But the syns just are not routed via the commport1 connection.
> I guess i have to fiddle with the subnet and nexthop definitions, but i'm
> seeking help here to avoid misconfigurations.
I'm not sure I understand your setup yet.
Paul
More information about the Users
mailing list