[Openswan Users] IPSec connection and dynamic routing against a PaloAlto Networks device

Roberto Suarez Soto roberto.suarez.soto at gmail.com
Thu Aug 18 12:58:33 EDT 2011


	I'm trying to establish a IPSec VPN between a PaloAlto Networks device (don't 
know which exactly, it's out of our control) and openswan (v2.4.12, Debian 
"Lenny"). This is my configuration (IP addresses obfuscated by customer's 

conn myconnection

	As you can see, it's a transport mode connection, but I've defined leftsubnet 
and rightsubnet anyway. The result is that I can route packets without 
problems between AA.AA.AA.AA/BB and CC.CC.CC.CC/BB, but I also accept traffic 
from the other side not in this networks. These networks are defined in the 
PaloAlto configuration as "proxy IDs".

	Part of the intended setup is dynamic routing, so we can route several 
networks through this IPSec link. After discarding OSPF, we're going with RIP. 
It seems that the PaloAlto devices can't use GRE tunnels, so this has to be 
made directly through the IPSec connection.

	And here comes the problem. The RIP traffic that comes from the PaloAlto 
device uses the local IP of its "IPSec tunnel" (no idea of what it means), 
which is, of course, from a network that I can't route anywhere (let's say 
"EE.EE.EE.EE". So I can see packets from that IP through the IPSec link, but 
can't reply to them because I don't know where to send them.

	If I used KLIPS, I guess I could just route EE.EE.EE.EE/32 through some 
ipsec* device; but alas, I'm using NETKEY. So I'm stuck because I can't 
communicate with the PaloAlto device in any way to send it RIP information.

	Any idea of how could I do to achieve this?

	Thanks in advance.

     Roberto Suarez Soto                     Hurt me plenty

More information about the Users mailing list