[Openswan Users] How to apply the policy on a interface?

Diego Woitasen diego at woitasen.com.ar
Wed Aug 31 15:12:03 EDT 2011


Hi,
 I have an IPSEC setup between two Linux gateways. It's working fine
except for one thing. I have the subnet 10.12.160.0/24 in one side and
10.0.0.0/8 on the other side (the headquarters, with several subnets).
Because I have leftsubnet=10.12.160.0/24 and rightsubnet=10.0.0.0/8 in
the one of the sides the SPD has the following entries:

src 10.12.160.0/24 dst 10.0.0.0/8
   .....
src 10.0.0.0/8 dst 10.12.160.0/24
   .....
src 10.0.0.0/8 dst 10.12.160.0/24
   .....

If I ping from a host in the subnet 10.12.160.0/24 to the gateway, I
get no reply. That's clear for me because the policy says that
security is required for anything that match
10.0.0.0/8<->10.12.126.0/24. To proof this, I get the ping working
with this lines:

ip xfrm policy add dir in src 10.12.160.0/24 dst 10.12.160.0/24 action allow
ip xfrm policy add dir out src 10.12.160.0/24 dst 10.12.160.0/24 action allow

Now, my question is... is it possible to configure Openswan in a way
that the policy created after the SAs uses the interface as selector?

Regards,
 Diego


-- 
Diego Woitasen


More information about the Users mailing list