[Openswan Users] Openswan and routing using NETKEY.
Paul Wouters
paul at xelerance.com
Mon Oct 3 11:13:25 EDT 2011
On Sun, 2 Oct 2011, Kevin Wilson wrote:
> My question is regarding openswan and routing using NETKEY.
> I have three machines; I want to setup routing on machine B so
> traffic sent from A to C will
> be ESP encrypted ( tunnel mode or transport mode). I must use NETKEY.
the ascii art got mangled, so i am not sure what it is you want
> --------------------- ------------------------------
> ---------------------------------
> | | |
> | | |
> |1.1.1.6 (eth0) | ----- | 1.1.1.196 (eth1) |
> | |
> | | |
> | | |
> | | |192.168.1.196(eth0) | ---------
> | 192.168.1.197 (eth1) |
> --------------------- --------------------------------
> ----------------------------------
> A B
It looks like your 192.168.1.0/24 lives at two places at once? while
possible, that would require them being told explicitely it is not
in their local LAN with some kind of host route. The same seems to apply
to 1.1.1.0/24, so i am not sure i understand this. Likely because I'm
misreading the ascii art.
> Setup:
> On machine A and B runs openswan (2.6.29).
> I need to run netkey on both machines (and not KLIPS)
>
> On machine A:
> eth0 has 1.1.1.6 on eth0; connected directly to machine B (via eth1
> of machine B).
> Can ping to 1.1.1.196
>
> On machine B:
> - eth1 has 1.1.1.196 ; connected directly to machine A via eth0 of machine A;
> able to ping 1.1.1.6 before starting ipsec service.
> - eth0 has 192.168.1.196 ; connected directly to Machine C via eth1
> of Machine C ; able to ping 192.168.1.197.
> On machine C:
> 192.168.1.197 on eth1. Connected directly to machine B and can
> ping 192.168.1.196.
>
> Now, I want to create tunnel mode with routing between A and C using openswan.
so that would be 1.1.1.6 <-> 192.168.1.197 ?
> What I mean is that traffic going from A to C will go via B.
> Thus, the traffic which C sends to A and that A receives will be ESP encrypted.
>
> I tried this /etc/ipsec.conf:
>
> config setup
> protostack=netkey
>
> conn sample
> type=tunnel
> left=1.1.1.6
> right=1.1.1.196
> authby=secret
> auto=start
So that would have to be right=192.168.1.197 to cover your case?
> but traffic (ping, for example) sent from A to C was not esp encrypted.
> I should add that I added this routing rule on A:
> route add 192.168.1.197 gw 1.1.1.196
>
> I had also tried using subnets, as in the following /etc/ipsec.conf:
>
> config setup
>
> protostack=netkey
>
> conn sample
> type=tunnel
> left=1.1.1.6
> leftsubnet=192.168.0.0/24
> leftnexthop=1.1.1.196
> right=1.1.1.196
> rightsubnet=10.0.0.0/24
> rightnexthop=1.1.1.6
> authby=secret
> auto=start
>
> And I added IP address of 10.0.0.10 on eth0:0 of A; and 192.168.0.10
> on eth1:0 of B.
>
> Added a routing rule:
> route add 192.168.0.10 gw 1.1.1.196
no idea where 192.168.0.* suddenly comes from ?
> Please advice - what should I do to achieve ESP encryption with Netkey
> with routing between A and C ?
Note you cannot see outgoing ESP packets with NETKEY on the machine itself,
so be careful using tcpdump
Paul
More information about the Users
mailing list