[Openswan Users] IPSec connection and dynamic routing against a PaloAlto Networks device
Roberto Suarez Soto
roberto.suarez.soto at gmail.com
Thu Aug 18 12:58:33 EDT 2011
I'm trying to establish a IPSec VPN between a PaloAlto Networks device (don't
know which exactly, it's out of our control) and openswan (v2.4.12, Debian
"Lenny"). This is my configuration (IP addresses obfuscated by customer's
As you can see, it's a transport mode connection, but I've defined leftsubnet
and rightsubnet anyway. The result is that I can route packets without
problems between AA.AA.AA.AA/BB and CC.CC.CC.CC/BB, but I also accept traffic
from the other side not in this networks. These networks are defined in the
PaloAlto configuration as "proxy IDs".
Part of the intended setup is dynamic routing, so we can route several
networks through this IPSec link. After discarding OSPF, we're going with RIP.
It seems that the PaloAlto devices can't use GRE tunnels, so this has to be
made directly through the IPSec connection.
And here comes the problem. The RIP traffic that comes from the PaloAlto
device uses the local IP of its "IPSec tunnel" (no idea of what it means),
which is, of course, from a network that I can't route anywhere (let's say
"EE.EE.EE.EE". So I can see packets from that IP through the IPSec link, but
can't reply to them because I don't know where to send them.
If I used KLIPS, I guess I could just route EE.EE.EE.EE/32 through some
ipsec* device; but alas, I'm using NETKEY. So I'm stuck because I can't
communicate with the PaloAlto device in any way to send it RIP information.
Any idea of how could I do to achieve this?
Thanks in advance.
Roberto Suarez Soto Hurt me plenty
More information about the Users