[Openswan Users] Public subnet extrusion
Niccolò Belli
darkbasic at linuxsystems.it
Fri Feb 24 12:11:36 EST 2012
Il 24/02/2012 16:52, Paul Wouters ha scritto:
> That is partially because the NETKEY IPsec stack is being retarded. For
> netkey, tunneling 0.0.0.0/0 means tunnel everything, including LAN
> traffic and the remote vpn IP. You might need to make a passthrough
> route to avoid that, though that's difficult on roadwarriors as it
> changes all the time.
>
> Your best bet is to leave the tunnel without sourceip= settings and then
> using "ip route" and "ip rule" tricks to "prefer" the new IP as the
> default for some traffic (eg port 80)
>
> An easier solution is probably to just use L2TP/IPsec, where the remote
> gives you the 5.5.5.100 IP and the pppd deals with the routing and
> traffic preferences for you.
>
> Paul
Hi,
I really don't understand how the hell it does work. If I don't use
"leftsourceip", it doesn't tunnel anything despite rightsubnet=0.0.0.0/0!
Also, without nat it does work (nearly) flawlessly! Here is the working
configuration without nat:
Server A:
eth0 5.5.5.1/24 (network 5.5.5.0/24) (PUBLIC)
eth1 172.16.1.1/16 (network 172.16.0.0/16) (PRIVATE)
eth2 6.6.6.1/32 (PUBLIC)
conn server1-server2
authby=rsasig
left=5.5.5.1
leftsubnet=0.0.0.0/0
leftrsasigkey=
right=5.5.5.2
rightsubnet=172.16.0.0/24
rightid=@server2
rightrsasigkey=
type=tunnel
auto=add
Server B:
eth0 5.5.5.2/24 (network 5.5.5.0/24) (PUBLIC)
eth1 172.16.0.1/24 (network 172.16.0.0/24) (PRIVATE)
conn server1-server2
authby=rsasig
left=5.5.5.2
leftsubnet=172.16.0.0/24
leftsourceip=172.16.0.1
leftid=@server2
leftrsasigkey=
right=5.5.5.1
rightsubnet=0.0.0.0/0
rightrsasigkey=
type=tunnel
auto=start
Server A does NAT outgoing connections from 172.16.1.1/24 on IP 6.6.6.1
and server B does surf the web with that ip. The strange thing is that
server B does not tunnel the traffic toward 5.5.5.0/24 despite
rightsubnet=0.0.0.0/0! Also the traffic toward 5.5.5.0/24 does origin
from ip 5.5.5.2 despite leftsourceip=172.16.0.1!
Please someone explain how the hell does it work, I even bought your
openswan book but it just explains the basics and not how stuff is
really implemented.
At least it doesn't crash the whole system now:
http://marc.info/?l=linux-netdev&m=133000782209351&w=2 :(
Thanks,
Niccolò
P.S.
I use Debian Squeeze amd64 on both machines.
More information about the Users
mailing list