[Openswan Users] Multi-net access to a service behind vpn
sertys at estates.bg
sertys at estates.bg
Tue Apr 20 14:19:39 EDT 2010
>> Date: Mon, 19 Apr 2010 13:44:18 +0300 (EEST)
>
>> I think i have difficulties configuring the strongswan/openswan link as
>> i
>> want it and specifically routing the packets to go over that link. It
>> would be easy if ipsec tunnels did appear as virtual devices or at least
>> appeared in the kernel routing table.
>
> Note an ipsec tunnel is not a virtual ethernet device. you cannot just
> "route"
> into it, since the tunnel has policies for source/dest packets.
>
>> this is my connection definition:
>> conn commport1
>> type=tunnel
>> # Key exchange
>> ike=aes256-sha1-modp1536
>> # Data exchange
>> esp=aes256-sha1
>> authby=secret
>> auto=start
>> #auth=esp
>> keyingtries=2
>> #keyexchange=ike
>> # Modeconfig setting
>> #modecfgpull=yes
>> pfs=no
>> rekey=yes
>> #salifetime=16h
>> dpddelay=120
>> dpdtimeout=140
>> dpdaction=restart
>> left=strong.ip # Local vitals
>> leftsubnet=192.168.2.2/32 #
>> leftid=%any
>
> You cannot use %any for an ID. Either leave out to default to the IP
> address
> or set it to something sane.
>
>> leftnexthop=%defaultroute # correct in many situations
>> leftsourceip=192.168.2.2
>> right=sec.ip # Remote vitals
>> rightsubnet=192.168.2.1/32 #
>> rightid=%any #
>
> Same here
>
>> But the syns just are not routed via the commport1 connection.
>> I guess i have to fiddle with the subnet and nexthop definitions, but
>> i'm
>> seeking help here to avoid misconfigurations.
>
> I'm not sure I understand your setup yet.
>
> Paul
>
I overcomplicated the explanation. Imagine it as a vpn router. Packets
come from client and are immediately put on the commport1 tunnel to the
appropriate endpoint. I enabled ipv4_forwarding, but there's something i'm
missing about packet handling. Maybe those policies are the key, but ikev1
supports only simple policies, so it should be pretty much
straightforward.
More information about the Users
mailing list