[Openswan Users] Route-based VPN

Vincent Bernat bernat at luffy.cx
Mon Oct 25 16:20:40 EDT 2010

OoO Pendant  le journal télévisé du  lundi 25 octobre  2010, vers 20:21,
Paul Wouters <paul at xelerance.com> disait :

>> Now, I would like to have a second VPN with the same instance of OpenSWAN.
>> Therefore, I would need an ipsec1 interface.

> No you don't need a second interface.

>> Can I bind it to a labelled interface (like eth0:1)?

> You could (if using ifconfig, not by adding the ip using ip addr)

>> I would like to use routes like this:
>> ip route add net1 dev ipsec0
>> ip route add net2 dev ipsec0
>> ip route add net3 dev ipsec1
>> ip route add net4 dev ipsec1

> I don't understand why. For klips it does not matter via which interface it got
> the packet,  and it does  not record/keep that information  around for
> anything.

For both VPN,  the rightsubnet is set to (essentially because
this is the  only subnet that the remote ISG will  accept in this mode).
This  means that for  one packet,  I have  two possible  VPN to  use for
encryption. I would like to select the correct VPN using routes.  If the
packet is routed to  ipsec0, then I would like to use  the first VPN, if
it is routed to ipsec1, then I would like to use the second VPN.

If KLIPS ignore  the incoming interface, I suppose  this is not possible
to work like this.
panic("CPU too expensive - making holiday in the ANDES!");
	2.2.16 /usr/src/linux/arch/mips/kernel/traps.c

More information about the Users mailing list