[Openswan Users] Is there anyway to setup static route with NETKEY stack?
simon charles
charlessimon at hotmail.com
Mon Jul 16 20:17:02 EDT 2012
Sheng ,
If this is what you want to do :-
1) All traffic from Router A to go out through Router B
2) Specific routes from Router A to go outside the tunnel through Router A itself
then yes it is possible.
Here is one of the ways to achieve this.
1) Exclude specific traffic from the tunnel
ip xfrm policy update dir in src 10.10.3.0/24 dst 4.4.4.4
ip xfrm policy update dir out src 10.10.3.0/24 dst 4.4.4.4
ip xfrm policy update dir fwd src 10.10.3.0/24 dst 4.4.4.4
2) Build a full tunnel from Router A to Router B
ipsec configuration on Router A like :-
leftsubnet=10.10.3.0/24
rightsubnet=0.0.0.0/0
You should execute the commands in step 1 before you add the ipsec connections defined in step 2 . Hope this helps.
- Simon Charles -
> Date: Mon, 16 Jul 2012 16:53:42 -0700
> Subject: Re: [Openswan Users] Is there anyway to setup static route with NETKEY stack?
> From: sheng at yasker.org
> To: charlessimon at hotmail.com
> CC: users at lists.openswan.org
>
> Hi Simon,
>
> Thanks for reply!
>
> However, the configuration is what I cannot figure out now.
>
> For example,
>
> local left router A right router
> B remote subnets
> 10.10.3.0/24 ---- 222.222.222.7 221.221.221.7 ------ 172.16.10.1/24
> | |
> | |
> | |
> | |
> Internet ============= Internet
>
> So, can I configure that, if host in local subnet want to access e.g.
> 8.8.8.8, the traffic have to go through router B rather than router
> A(NAT disabled) and reach the internet? And at the same time, if host
> want to access e.g. 4.4.4.4, the traffic would go through router A?
>
> --Sheng
>
> On Mon, Jul 16, 2012 at 4:39 PM, simon charles <charlessimon at hotmail.com> wrote:
> > Sheng ,
> > Can you provide your configuration so we may look at it and make
> > recommendations. It would help if you describe the network layout of your
> > remote site / local site , how they are connected and what you are trying
> > to achieve at the remote site / local site.
> > Thanks.
> >
> > - Simon Charles -
> >
> >
> >> Date: Mon, 16 Jul 2012 16:32:46 -0700
> >> From: sheng at yasker.org
> >> To: users at lists.openswan.org
> >> Subject: [Openswan Users] Is there anyway to setup static route with
> >> NETKEY stack?
> >
> >>
> >> Hi,
> >>
> >> I've dived in Google and this mailing's archive for quite some time,
> >> but still fail to find a way to specify static route per our
> >> requirement in NETKEY stack.
> >>
> >> The scenario is somehow easy to understand: we want to route any
> >> traffic our specified through the ipsec tunnel.
> >>
> >> Currently the configuration works well for certain subnets(we had to
> >> specify them in rightsubnets of ipsec.conf). But when it comes to
> >> redirect other traffic through the ipsec tunnel. E.g. we may want to
> >> let remote gateway(on the other side of ipsec tunnel) handle local
> >> traffic to the Internet. We can't figure out a way to do that with
> >> NETKEY stack.
> >>
> >> Seems with KLIPS, we can simply add ip route for that. I've checked ip
> >> xfrm, but still can't figure out a way to do that.
> >>
> >> When searching for possible methods, I saw someone said "No, there is
> >> no way to do so", but I still want to confirm that. Because if NETKEY
> >> would replace KLIPS, why we cannot do the same thing as in KLIPS(if I
> >> understand right)?
> >>
> >> Thanks in advance!
> >>
> >> --Sheng
> >> _______________________________________________
> >> Users at lists.openswan.org
> >> https://lists.openswan.org/mailman/listinfo/users
> >> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> >> Building and Integrating Virtual Private Networks with Openswan:
> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120716/33d8b3d9/attachment.html>
More information about the Users
mailing list