[Openswan Users] Public subnet extrusion

Paul Wouters pwouters at redhat.com
Fri Feb 24 10:12:20 EST 2012


On Fri, 24 Feb 2012, Niccolò Belli wrote:

> Host A is a server with a 5.5.5.0/24 public subnet, host B is a roadwarrior 
> (dynamic ip, nat).
>
> I want to give a public ip to the roadwarrior (let's say 5.5.5.100).
> The roadwarrior's internal ip is in the 192.168.20.0/24 range (let's say 
> 192.168.20.150).

> Roadbarrior (B) ipsec.conf

> conn roadwarrior-server
> 	authby=rsasig
> 	left=%defaultroute
> 	leftsubnet=5.5.5.100/32
> 	#leftsourceip=5.5.5.100
> 	leftid=@laptop
> 	leftrsasigkey=...
> 	right=5.5.5.1
> 	rightsubnet=0.0.0.0/0
> 	rightrsasigkey=...
> 	type=tunnel
> 	auto=start
>
>
> I can ping 5.5.5.100 from server A but the roadwarrior can't reach server A. 
> I can surf the web but it doesn't tunnel the traffic at all (IP isn't 
> 5.5.5.100). I tried adding leftsourceip=5.5.5.100 in the roadwarrior but I 
> can't even reach server A to establish the vpn connection such a way!

That is partially because the NETKEY IPsec stack is being retarded. For
netkey, tunneling 0.0.0.0/0 means tunnel everything, including LAN
traffic and the remote vpn IP. You might need to make a passthrough
route to avoid that, though that's difficult on roadwarriors as it
changes all the time.

Your best bet is to leave the tunnel without sourceip= settings and then
using "ip route" and "ip rule" tricks to "prefer" the new IP as the
default for some traffic (eg port 80)

An easier solution is probably to just use L2TP/IPsec, where the remote
gives you the 5.5.5.100 IP and the pppd deals with the routing and
traffic preferences for you.

Paul


More information about the Users mailing list