[Openswan Users] Public subnet extrusion

Paul Wouters pwouters at redhat.com
Fri Feb 24 10:12:20 EST 2012

On Fri, 24 Feb 2012, Niccolò Belli wrote:

> Host A is a server with a public subnet, host B is a roadwarrior 
> (dynamic ip, nat).
> I want to give a public ip to the roadwarrior (let's say
> The roadwarrior's internal ip is in the range (let's say 

> Roadbarrior (B) ipsec.conf

> conn roadwarrior-server
> 	authby=rsasig
> 	left=%defaultroute
> 	leftsubnet=
> 	#leftsourceip=
> 	leftid=@laptop
> 	leftrsasigkey=...
> 	right=
> 	rightsubnet=
> 	rightrsasigkey=...
> 	type=tunnel
> 	auto=start
> I can ping from server A but the roadwarrior can't reach server A. 
> I can surf the web but it doesn't tunnel the traffic at all (IP isn't 
> I tried adding leftsourceip= in the roadwarrior but I 
> can't even reach server A to establish the vpn connection such a way!

That is partially because the NETKEY IPsec stack is being retarded. For
netkey, tunneling means tunnel everything, including LAN
traffic and the remote vpn IP. You might need to make a passthrough
route to avoid that, though that's difficult on roadwarriors as it
changes all the time.

Your best bet is to leave the tunnel without sourceip= settings and then
using "ip route" and "ip rule" tricks to "prefer" the new IP as the
default for some traffic (eg port 80)

An easier solution is probably to just use L2TP/IPsec, where the remote
gives you the IP and the pppd deals with the routing and
traffic preferences for you.


More information about the Users mailing list