[Openswan Users] IPSec connection and dynamic routing against a PaloAlto Networks device
paul at xelerance.com
Fri Aug 19 09:56:21 EDT 2011
On Thu, 18 Aug 2011, Roberto Suarez Soto wrote:
> I'm trying to establish a IPSec VPN between a PaloAlto Networks device (don't
> know which exactly, it's out of our control) and openswan (v2.4.12, Debian
> "Lenny"). This is my configuration (IP addresses obfuscated by customer's
> conn myconnection
> As you can see, it's a transport mode connection, but I've defined leftsubnet
> and rightsubnet anyway. The result is that I can route packets without
> problems between AA.AA.AA.AA/BB and CC.CC.CC.CC/BB, but I also accept traffic
> from the other side not in this networks. These networks are defined in the
> PaloAlto configuration as "proxy IDs".
I doubt thatworks. For hacks with "proxy ID" or "NATed IP"s inside invalid ipsec
policies, you might want to look at:
> Part of the intended setup is dynamic routing, so we can route several
> networks through this IPSec link. After discarding OSPF, we're going with RIP.
> It seems that the PaloAlto devices can't use GRE tunnels, so this has to be
> made directly through the IPSec connection.
> And here comes the problem. The RIP traffic that comes from the PaloAlto
> device uses the local IP of its "IPSec tunnel" (no idea of what it means),
> which is, of course, from a network that I can't route anywhere (let's say
> "EE.EE.EE.EE". So I can see packets from that IP through the IPSec link, but
> can't reply to them because I don't know where to send them.
> If I used KLIPS, I guess I could just route EE.EE.EE.EE/32 through some
> ipsec* device; but alas, I'm using NETKEY. So I'm stuck because I can't
> communicate with the PaloAlto device in any way to send it RIP information.
> Any idea of how could I do to achieve this?
> Thanks in advance.
> Roberto Suarez Soto Hurt me plenty
> Users at openswan.org
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users