[Openswan Users] Openswan AND fortigate 60b Vs Iptables

Erich Titl erich.titl at think.ch
Wed Jul 7 03:51:13 EDT 2010


at 07.07.2010 06:20, Ing. Rodrigo Fernandez wrote:
> Hello pals!
> Im again I have read the information of the iproute2 but I didn't get it the
> help means that I need to stablish a "static route?
> For example: 
> Route add ???
> Or how can i handle it? The reason that I want to ping in my gateway its
> cause sometimes the tunnel goes down and im writing a very simple
> "pingscript" who checks the tunnel up and if the tunnels goes down make all
> the ways to reestablish the connection. In the previous thread I sent my set
> up of mi iptables and a member of the list, gently suggested the iproute2
> what do you think about my "example"? its correct or its more complicated?

Paul already gave you the hint for dpd, however, I found dpd
insufficient, as it cannot control the layer below ipsec.

If you have a subnet_to_subnet scenario then your tunnel endpoints
cannot see each other through the tunnel.

iproute2 allows you to route, for example, packets originating on the
tunnel endpoint through the tunnel by inserting the internal address of
the tunnel endpoint as the source IP.

In order to do that you need to introduce a new routing table, for
example "from_tunnel_endpoint", add a rule to use the new table for
packets originating on the tunnel endpoint and add a specific route to
that routing table. This can then allow you to use the tunnel for
traffic originating on one tunnel endpoint to the internal address of
the other endpoint using subnet addresses of the respecitve tunnels only.

It is a bit of a routing hack, but the reference I sent you is pretty



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3409 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20100707/96f723e0/attachment.bin 

More information about the Users mailing list