[Openswan Users] Public subnet extrusion
pwouters at redhat.com
Fri Feb 24 10:12:20 EST 2012
On Fri, 24 Feb 2012, Niccolò Belli wrote:
> Host A is a server with a 18.104.22.168/24 public subnet, host B is a roadwarrior
> (dynamic ip, nat).
> I want to give a public ip to the roadwarrior (let's say 22.214.171.124).
> The roadwarrior's internal ip is in the 192.168.20.0/24 range (let's say
> Roadbarrior (B) ipsec.conf
> conn roadwarrior-server
> I can ping 126.96.36.199 from server A but the roadwarrior can't reach server A.
> I can surf the web but it doesn't tunnel the traffic at all (IP isn't
> 188.8.131.52). I tried adding leftsourceip=184.108.40.206 in the roadwarrior but I
> can't even reach server A to establish the vpn connection such a way!
That is partially because the NETKEY IPsec stack is being retarded. For
netkey, tunneling 0.0.0.0/0 means tunnel everything, including LAN
traffic and the remote vpn IP. You might need to make a passthrough
route to avoid that, though that's difficult on roadwarriors as it
changes all the time.
Your best bet is to leave the tunnel without sourceip= settings and then
using "ip route" and "ip rule" tricks to "prefer" the new IP as the
default for some traffic (eg port 80)
An easier solution is probably to just use L2TP/IPsec, where the remote
gives you the 220.127.116.11 IP and the pppd deals with the routing and
traffic preferences for you.
More information about the Users