[Openswan Users] How to apply the policy on a interface?
Diego Woitasen
diego at woitasen.com.ar
Wed Aug 31 15:39:51 EDT 2011
On Wed, Aug 31, 2011 at 4:12 PM, Diego Woitasen <diego at woitasen.com.ar> wrote:
> Hi,
> I have an IPSEC setup between two Linux gateways. It's working fine
> except for one thing. I have the subnet 10.12.160.0/24 in one side and
> 10.0.0.0/8 on the other side (the headquarters, with several subnets).
> Because I have leftsubnet=10.12.160.0/24 and rightsubnet=10.0.0.0/8 in
> the one of the sides the SPD has the following entries:
>
> src 10.12.160.0/24 dst 10.0.0.0/8
> .....
> src 10.0.0.0/8 dst 10.12.160.0/24
> .....
> src 10.0.0.0/8 dst 10.12.160.0/24
> .....
>
> If I ping from a host in the subnet 10.12.160.0/24 to the gateway, I
> get no reply. That's clear for me because the policy says that
> security is required for anything that match
> 10.0.0.0/8<->10.12.126.0/24. To proof this, I get the ping working
> with this lines:
>
> ip xfrm policy add dir in src 10.12.160.0/24 dst 10.12.160.0/24 action allow
> ip xfrm policy add dir out src 10.12.160.0/24 dst 10.12.160.0/24 action allow
>
> Now, my question is... is it possible to configure Openswan in a way
> that the policy created after the SAs uses the interface as selector?
>
> Regards,
> Diego
>
>
> --
> Diego Woitasen
>
It seems impossible :)
I fixed the problem using ipsec.conf thanks to Letoto (irc) and the
example hub-spoke.conf.
conn netkeybug
left=10.12.160.254
leftsubnet=10.12.160.0/24
right=0.0.0.0
rightsubnet=10.12.160.0/24
authby=never
type=passthrough
auto=route
Regards
Diego
--
Diego Woitasen
More information about the Users
mailing list