[Openswan Users] OpenSWAN & aliased interfaces

Willie Gillespie wgillespie+openswan at es2eng.com
Fri Apr 8 18:20:46 EDT 2011 


On 4/6/2011 9:34 PM, Jesse L. Zamora wrote:
> Hello,
>
> I was just wondering if it is possible to use an aliased interface in an
> IPSEC tunnel using OpenSWAN. Let me familiarize you with my configuration:
>
> |----------------------------------------------|
> |------------------------------------------|
> | Client 1 IPSEC: | | Local IPSEC (my network): |
> | Endpoint IP: 74.205.127.225 | <----------------> | Public IP:
> 64.135.12.130 |
> | Subnet: 10.122.91.0/24 | | Subnet: 172.27.12.0/24 |
> |----------------------------------------------|
> |------------------------------------------|
>
>
> This is the current configuration that I have, and it works great using
> an IPSEC tunnel configured using OpenSWAN.
>
> Now I need to create the following configuration:
>
> |----------------------------------------------|
> |------------------------------------------|
> | Client 2 IPSEC: | | Local IPSEC (my network): |
> | Endpoint IP: 200.39.21.10 | <----------------> | Public IP:
> 64.135.12.130 |
> | Subnet: 172.16.184.0/21 | | Subnet: 10.216.91.192/28 |
> |----------------------------------------------|
> |------------------------------------------|
>
> So this brings me to my question: is it possible to create an aliased
> interface for the subnet 10.216.91.192/28 and have OpenSWAN route the
> packets to the other host? On my network, the Public IP 64.135.12.130 is
> the firewall as well as the VPN gateway, so there is no NAT going on.
> Currently, eth0 is the external interface and eth1 currently has a
> subnet of 172.27.12.0/24.

I don't know if you need an aliased interface to accomplish what you 
want to.  Either way, I don't know the answer to that question since 
I've never tried.

Couldn't you just add (where left is local/your network)
leftsubnet=10.216.91.192/28
I believe the packets would come through the IPsec tunnel and you could 
play with them in iptables just like you can any other packet.  That's 
where you could set up your translation between 10.216.91.192/28 and 
your actual 172.27.12.0/24.
So that being said, yes, you probably could alias eth1 to have those 
addresses too if that's the way you want to go about things.

Again, I've never tried any of this, so your mileage may vary.

More information about the Users mailing list