[Openswan Users] Is there anyway to setup static route with NETKEY stack?
Sheng Yang
sheng at yasker.org
Mon Jul 16 20:26:55 EDT 2012
On Mon, Jul 16, 2012 at 5:19 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 16 Jul 2012, Sheng Yang wrote:
>
>> In fact we may want target-based routing
>
>
> Then you must use klips. netkey grabs the magic magically independantly
> of routing - nothing you can do that I know of, but verify the iptables
> helpers to see if anything useful is there.
>
>
>> For example, the traffic
>> from 10.1.2.0/24 would be NATed to internet if the target address is
>> 4.4.4.4, but may send to the remote peer if the target address is
>> 8.8.8.8. So seems subnet definitions cannot works here.
>
>
> You could do that using routing on the machine _before_ ipsec:
>
>
> 10.1.2.0/24---router-----openswan----internet-----
> |
> internet
>
> Now router can use "ip rule" to route based on destination address.
> As long as it hits the openswan box, you tunnel it. Perhaps you can
> merge "router" and "openswan" using SNAT in PREROUTING to exclude
> IPsec if you SNAT to a non 10.1.2.0/24 address and then DNAT/MASQ
> it on the way out again.
>
That's great idea, though the machine before openswan box is not what
we can control...
>
>> So could you elaborate the building tunnel to 0.0.0.0/0 method? I am
>> not quite sure how passthough conn works...
>
>
> conn tunnel-all
> left=someip
> leftsubnet=10.1.2.0/24
> right=someip
> rightsubnet=0.0.0.0/0
> [...]
>
> conn netkey-exclude
> left=someip
> leftsubnet=10.1.2.0/24
> right=0.0.0.0
> rightsubnet=8.8.8.8/32
> authby=never
> type=passthrough
> auto=route
>
> This would cause traffic to 8.8.8.8 to NOT be tunneled,
> and it will leave the machine unencrypted. You would have
> to hit a SNAT/MASQ rule obviously to get routed on the net.
This method would works, but it's a white list rather than a black
list. Since by default the traffic don't need to go through ipsec
tunnel, it would be impossible to add all target address as
passthrough conn...
Seems the only way to met such requirement is go KLIPS...
Thanks you!
--Sheng
>
> Paul
More information about the Users
mailing list