[Openswan Users] Is there anyway to setup static route with NETKEY stack?
sheng at yasker.org
Mon Jul 16 19:53:42 EDT 2012
Thanks for reply!
However, the configuration is what I cannot figure out now.
local left router A right router
B remote subnets
10.10.3.0/24 ---- 18.104.22.168 22.214.171.124 ------ 172.16.10.1/24
Internet ============= Internet
So, can I configure that, if host in local subnet want to access e.g.
126.96.36.199, the traffic have to go through router B rather than router
A(NAT disabled) and reach the internet? And at the same time, if host
want to access e.g. 188.8.131.52, the traffic would go through router A?
On Mon, Jul 16, 2012 at 4:39 PM, simon charles <charlessimon at hotmail.com> wrote:
> Sheng ,
> Can you provide your configuration so we may look at it and make
> recommendations. It would help if you describe the network layout of your
> remote site / local site , how they are connected and what you are trying
> to achieve at the remote site / local site.
> - Simon Charles -
>> Date: Mon, 16 Jul 2012 16:32:46 -0700
>> From: sheng at yasker.org
>> To: users at lists.openswan.org
>> Subject: [Openswan Users] Is there anyway to setup static route with
>> NETKEY stack?
>> I've dived in Google and this mailing's archive for quite some time,
>> but still fail to find a way to specify static route per our
>> requirement in NETKEY stack.
>> The scenario is somehow easy to understand: we want to route any
>> traffic our specified through the ipsec tunnel.
>> Currently the configuration works well for certain subnets(we had to
>> specify them in rightsubnets of ipsec.conf). But when it comes to
>> redirect other traffic through the ipsec tunnel. E.g. we may want to
>> let remote gateway(on the other side of ipsec tunnel) handle local
>> traffic to the Internet. We can't figure out a way to do that with
>> NETKEY stack.
>> Seems with KLIPS, we can simply add ip route for that. I've checked ip
>> xfrm, but still can't figure out a way to do that.
>> When searching for possible methods, I saw someone said "No, there is
>> no way to do so", but I still want to confirm that. Because if NETKEY
>> would replace KLIPS, why we cannot do the same thing as in KLIPS(if I
>> understand right)?
>> Thanks in advance!
>> Users at lists.openswan.org
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users