[Openswan Users] Is there anyway to setup static route with NETKEY stack?

Sheng Yang sheng at yasker.org
Mon Jul 16 20:29:07 EDT 2012


On Mon, Jul 16, 2012 at 5:17 PM, simon charles <charlessimon at hotmail.com> wrote:
> Sheng ,
>      If this is what you want to do :-
>     1) All traffic from Router A to go out through Router B
>     2) Specific routes from Router A to go outside the tunnel through Router
> A itself
>
>            then yes it is possible.
>
> Here is one of the ways to achieve this.
>
> 1) Exclude specific traffic from the tunnel
> ip xfrm policy update dir in src 10.10.3.0/24 dst 4.4.4.4
> ip xfrm policy update dir out src 10.10.3.0/24 dst 4.4.4.4
> ip xfrm policy update dir fwd src 10.10.3.0/24 dst 4.4.4.4
>
> 2)  Build a full tunnel from Router A to Router B
> ipsec configuration on Router A like :-
> leftsubnet=10.10.3.0/24
> rightsubnet=0.0.0.0/0
>
> You should execute the commands in step 1 before you add the ipsec
> connections defined in step 2 . Hope this helps.

Thank you Simon!

But I think what we need is specify traffic go _through_ ipsec tunnel,
so this white list thing wouldn't be practice for all potential target
address...

--Sheng
>
> - Simon Charles -
>
>
>> Date: Mon, 16 Jul 2012 16:53:42 -0700
>> Subject: Re: [Openswan Users] Is there anyway to setup static route with
>> NETKEY stack?
>> From: sheng at yasker.org
>> To: charlessimon at hotmail.com
>> CC: users at lists.openswan.org
>
>>
>> Hi Simon,
>>
>> Thanks for reply!
>>
>> However, the configuration is what I cannot figure out now.
>>
>> For example,
>>
>> local left router A right router
>> B remote subnets
>> 10.10.3.0/24 ---- 222.222.222.7 221.221.221.7 ------ 172.16.10.1/24
>> | |
>> | |
>> | |
>> | |
>> Internet ============= Internet
>>
>> So, can I configure that, if host in local subnet want to access e.g.
>> 8.8.8.8, the traffic have to go through router B rather than router
>> A(NAT disabled) and reach the internet? And at the same time, if host
>> want to access e.g. 4.4.4.4, the traffic would go through router A?
>>
>> --Sheng
>>
>> On Mon, Jul 16, 2012 at 4:39 PM, simon charles <charlessimon at hotmail.com>
>> wrote:
>> > Sheng ,
>> > Can you provide your configuration so we may look at it and make
>> > recommendations. It would help if you describe the network layout of
>> > your
>> > remote site / local site , how they are connected and what you are
>> > trying
>> > to achieve at the remote site / local site.
>> > Thanks.
>> >
>> > - Simon Charles -
>> >
>> >
>> >> Date: Mon, 16 Jul 2012 16:32:46 -0700
>> >> From: sheng at yasker.org
>> >> To: users at lists.openswan.org
>> >> Subject: [Openswan Users] Is there anyway to setup static route with
>> >> NETKEY stack?
>> >
>> >>
>> >> Hi,
>> >>
>> >> I've dived in Google and this mailing's archive for quite some time,
>> >> but still fail to find a way to specify static route per our
>> >> requirement in NETKEY stack.
>> >>
>> >> The scenario is somehow easy to understand: we want to route any
>> >> traffic our specified through the ipsec tunnel.
>> >>
>> >> Currently the configuration works well for certain subnets(we had to
>> >> specify them in rightsubnets of ipsec.conf). But when it comes to
>> >> redirect other traffic through the ipsec tunnel. E.g. we may want to
>> >> let remote gateway(on the other side of ipsec tunnel) handle local
>> >> traffic to the Internet. We can't figure out a way to do that with
>> >> NETKEY stack.
>> >>
>> >> Seems with KLIPS, we can simply add ip route for that. I've checked ip
>> >> xfrm, but still can't figure out a way to do that.
>> >>
>> >> When searching for possible methods, I saw someone said "No, there is
>> >> no way to do so", but I still want to confirm that. Because if NETKEY
>> >> would replace KLIPS, why we cannot do the same thing as in KLIPS(if I
>> >> understand right)?
>> >>
>> >> Thanks in advance!
>> >>
>> >> --Sheng
>> >> _______________________________________________
>> >> Users at lists.openswan.org
>> >> https://lists.openswan.org/mailman/listinfo/users
>> >> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> >> Building and Integrating Virtual Private Networks with Openswan:
>> >>
>> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list