[Openswan Users] Public subnet extrusion
darkbasic at linuxsystems.it
Fri Feb 24 12:11:36 EST 2012
Il 24/02/2012 16:52, Paul Wouters ha scritto:
> That is partially because the NETKEY IPsec stack is being retarded. For
> netkey, tunneling 0.0.0.0/0 means tunnel everything, including LAN
> traffic and the remote vpn IP. You might need to make a passthrough
> route to avoid that, though that's difficult on roadwarriors as it
> changes all the time.
> Your best bet is to leave the tunnel without sourceip= settings and then
> using "ip route" and "ip rule" tricks to "prefer" the new IP as the
> default for some traffic (eg port 80)
> An easier solution is probably to just use L2TP/IPsec, where the remote
> gives you the 188.8.131.52 IP and the pppd deals with the routing and
> traffic preferences for you.
I really don't understand how the hell it does work. If I don't use
"leftsourceip", it doesn't tunnel anything despite rightsubnet=0.0.0.0/0!
Also, without nat it does work (nearly) flawlessly! Here is the working
configuration without nat:
eth0 184.108.40.206/24 (network 220.127.116.11/24) (PUBLIC)
eth1 172.16.1.1/16 (network 172.16.0.0/16) (PRIVATE)
eth2 18.104.22.168/32 (PUBLIC)
eth0 22.214.171.124/24 (network 126.96.36.199/24) (PUBLIC)
eth1 172.16.0.1/24 (network 172.16.0.0/24) (PRIVATE)
Server A does NAT outgoing connections from 172.16.1.1/24 on IP 188.8.131.52
and server B does surf the web with that ip. The strange thing is that
server B does not tunnel the traffic toward 184.108.40.206/24 despite
rightsubnet=0.0.0.0/0! Also the traffic toward 220.127.116.11/24 does origin
from ip 18.104.22.168 despite leftsourceip=172.16.0.1!
Please someone explain how the hell does it work, I even bought your
openswan book but it just explains the basics and not how stuff is
At least it doesn't crash the whole system now:
I use Debian Squeeze amd64 on both machines.
More information about the Users