[Openswan Users] leftsubnet 0.0.0.0/0

James Taylor proxy06 at gmail.com
Thu Sep 1 15:00:08 EDT 2011 

In essence, I want to establish single IPsec tunnel between two
computers which both have static IP addresses 92.33.127.197 FIRST and
64.33.90.5 SECOND

I would like the SECOND to route all it's traffic through the FIRST
via IPsec tunnel. This way it would appear as if all the traffic is
originating from the FIRST computer.

I've read about extruded subnets which seems to be a solution but I
would like not to "extrude" any IPs from my FIRST machine.


On Thu, Sep 1, 2011 at 8:33 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Thu, 1 Sep 2011, James Taylor wrote:
>
>> I am trying to implement the following configuration:
>> 000 "LS-NET-PSK":
>> 0.0.0.0/0===92.33.127.197[+S=C]...92.33.127.193---%any[+S=C];
>> unrouted; eroute owner: #0
>>
>> ... which means that my VPN server (92.33.127.197) is configured to
>> accept connections from any client and that the left private subnet is
>> the whole Internet.
>> I want all client machines, once connected, to send all their traffic
>> through VPN server.
>>
>> Configuration file looks as follows:
>> conn LS-NET-PSK
>>       authby=secret
>>       pfs=no
>>       rekey=no
>>       keyingtries=3
>>       type=tunnel
>>       left=%defaultroute
>>        leftsubnet=0.0.0.0/0
>>       right=%any
>
> Does this connection even load? how should this end know if it is "left" or
> "right"?
> You say later these servers are on public ip. If that is static, just
> configure
> that into you left/right options.
>
>>        rightnexthop=%defaultroute
>>       auto=add
>>
>> Now I am configuring another server as a client to pass all the
>> traffic through the VPN server.
>> My second server has real Internet IP 64.33.90.5. It is not behind NAT.
>> Second server configuration file below:
>> conn LS-NET-PSK-CLIENT
>>       authby=secret
>>       pfs=no
>>       rekey=yes
>>       keyingtries=3
>>       type=tunnel
>>       left=%defaultroute
>>       right=92.33.127.197
>>       rightsubnet=0.0.0.0/0
>>       auto=add
>>
>> Now if I establish the connection, my second server starts sending ESP
>> packets through the VPN server 92.33.127.197
>> I can see it with tcpdump.
>>
>> The problem is that target server, which has the IP address
>> 66.33.102.58 does not route response through the VPN server
>> 92.33.127.197.
>> Instead target server tries to communicate directly to the 64.33.90.5
>> over unencrypted channel
>
> So you have chained them?
>
> I am not sure what you are trying to do here.
>
>
> clients--->vpn1---->vpn2----> internet ?
>
> defaultroute/0.0.0.0 --> 0.0.0.0/0.0.0.0 -> 0.0.0.0/.0.0.0.0 -> internet ?
> vpn1 cannot be both 0.0.0.0/0 for one side and the other side. How would it
> know where to send a packet for 1.2.3.4 to?
>
> Paul
>

More information about the Users mailing list