[Openswan Users] IPSec connection and dynamic routing against a PaloAlto Networks device

[Roberto Suarez Soto]

Hi,

	I'm trying to establish a IPSec VPN between a PaloAlto Networks device (don't 
know which exactly, it's out of our control) and openswan (v2.4.12, Debian 
"Lenny"). This is my configuration (IP addresses obfuscated by customer's 
request):

conn myconnection
	left=XXX.XXX.XXX.XXX
	leftnexthop=XXX.XXX.XXX.XXY
	right=ZZZ.ZZZ.ZZZ.ZZZ
	auto=start
	type=transport
	authby=secret
	ike=aes256-sha1
	esp=aes256-sha1
         leftsubnet=AA.AA.AA.AA/BB
	rightsubnet=CC.CC.CC.CC/DD

	As you can see, it's a transport mode connection, but I've defined leftsubnet 
and rightsubnet anyway. The result is that I can route packets without 
problems between AA.AA.AA.AA/BB and CC.CC.CC.CC/BB, but I also accept traffic 
from the other side not in this networks. These networks are defined in the 
PaloAlto configuration as "proxy IDs".

	Part of the intended setup is dynamic routing, so we can route several 
networks through this IPSec link. After discarding OSPF, we're going with RIP. 
It seems that the PaloAlto devices can't use GRE tunnels, so this has to be 
made directly through the IPSec connection.

	And here comes the problem. The RIP traffic that comes from the PaloAlto 
device uses the local IP of its "IPSec tunnel" (no idea of what it means), 
which is, of course, from a network that I can't route anywhere (let's say 
"EE.EE.EE.EE". So I can see packets from that IP through the IPSec link, but 
can't reply to them because I don't know where to send them.

	If I used KLIPS, I guess I could just route EE.EE.EE.EE/32 through some 
ipsec* device; but alas, I'm using NETKEY. So I'm stuck because I can't 
communicate with the PaloAlto device in any way to send it RIP information.

	Any idea of how could I do to achieve this?

	Thanks in advance.


-- 
     Roberto Suarez Soto                     Hurt me plenty