[Openswan Users] Is there anyway to setup static route with NETKEY stack?

simon charles charlessimon at hotmail.com
Mon Jul 16 20:17:02 EDT 2012


Sheng , 
     If this is what you want to do :-
    1) All traffic from Router A to go out through Router B
    2) Specific routes from Router A to go outside the tunnel through Router A itself
        
           then yes it is possible.

Here is one of the ways to achieve this.

1) Exclude specific traffic from the tunnel
ip xfrm policy update dir in src 10.10.3.0/24 dst 4.4.4.4
ip xfrm policy update dir out src 10.10.3.0/24 dst 4.4.4.4
ip xfrm policy update dir fwd src 10.10.3.0/24 dst 4.4.4.4

2)  Build a full tunnel from Router A to Router B

ipsec configuration on Router A like :-

leftsubnet=10.10.3.0/24

rightsubnet=0.0.0.0/0

You should execute the commands in step 1 before you add the ipsec connections defined in step 2 . Hope this helps.

- Simon Charles - 


> Date: Mon, 16 Jul 2012 16:53:42 -0700
> Subject: Re: [Openswan Users] Is there anyway to setup static route with NETKEY stack?
> From: sheng at yasker.org
> To: charlessimon at hotmail.com
> CC: users at lists.openswan.org
> 
> Hi Simon,
> 
> Thanks for reply!
> 
> However, the configuration is what I cannot figure out now.
> 
> For example,
> 
> local                   left router  A                   right router
> B        remote subnets
> 10.10.3.0/24 ---- 222.222.222.7             221.221.221.7 ------  172.16.10.1/24
>                             |                                        |
>                             |                                        |
>                             |                                        |
>                             |                                        |
>                          Internet   ============= Internet
> 
> So, can I configure that, if host in local subnet want to access e.g.
> 8.8.8.8, the traffic have to go through router B rather than router
> A(NAT disabled) and reach the internet? And at the same time, if host
> want to access e.g. 4.4.4.4, the traffic would go through router A?
> 
> --Sheng
> 
> On Mon, Jul 16, 2012 at 4:39 PM, simon charles <charlessimon at hotmail.com> wrote:
> > Sheng ,
> >     Can you provide your configuration so we may look at it and make
> > recommendations. It would help if you describe the network layout of your
> > remote site / local site , how they are connected  and what you are trying
> > to achieve at the remote site / local site.
> >       Thanks.
> >
> > - Simon Charles -
> >
> >
> >> Date: Mon, 16 Jul 2012 16:32:46 -0700
> >> From: sheng at yasker.org
> >> To: users at lists.openswan.org
> >> Subject: [Openswan Users] Is there anyway to setup static route with
> >> NETKEY stack?
> >
> >>
> >> Hi,
> >>
> >> I've dived in Google and this mailing's archive for quite some time,
> >> but still fail to find a way to specify static route per our
> >> requirement in NETKEY stack.
> >>
> >> The scenario is somehow easy to understand: we want to route any
> >> traffic our specified through the ipsec tunnel.
> >>
> >> Currently the configuration works well for certain subnets(we had to
> >> specify them in rightsubnets of ipsec.conf). But when it comes to
> >> redirect other traffic through the ipsec tunnel. E.g. we may want to
> >> let remote gateway(on the other side of ipsec tunnel) handle local
> >> traffic to the Internet. We can't figure out a way to do that with
> >> NETKEY stack.
> >>
> >> Seems with KLIPS, we can simply add ip route for that. I've checked ip
> >> xfrm, but still can't figure out a way to do that.
> >>
> >> When searching for possible methods, I saw someone said "No, there is
> >> no way to do so", but I still want to confirm that. Because if NETKEY
> >> would replace KLIPS, why we cannot do the same thing as in KLIPS(if I
> >> understand right)?
> >>
> >> Thanks in advance!
> >>
> >> --Sheng
> >> _______________________________________________
> >> Users at lists.openswan.org
> >> https://lists.openswan.org/mailman/listinfo/users
> >> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> >> Building and Integrating Virtual Private Networks with Openswan:
> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120716/33d8b3d9/attachment.html>


More information about the Users mailing list