[Openswan Users] overlapping left/right networks
Neal Murphy
neal.p.murphy at alum.wpi.edu
Thu Dec 4 17:22:56 EST 2014
On Thursday, December 04, 2014 05:15:02 PM Dmitry Chirikov wrote:
> Yes /16 is correct follow the "right"-side-guys' rules. I am not sure this
> is supported config, as I wrote in my first letter, so I decided to ask
> more experienced folks and (will hope) developers for that.
>
> Regarding KLIPS - I'd like to use it, but this comment from default
> ipsec.conf states I cannot:
> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>
> (And I really tried to enable it before asking for help here. Without any
> success)
Well, drat the luck. I guess that leaves adding an explicit policy for .3. to
.3. traffic. Or a higher priority route for that traffic. It's supposed to
'just work'.
Sorry I couldn't come up with a simple solution.
N
>
> Kind regards,
> Dmitry Chirikov
>
> On 4 December 2014 at 23:00, Neal Murphy <neal.p.murphy at alum.wpi.edu> wrote:
> > On Thursday, December 04, 2014 04:31:59 PM Dmitry Chirikov wrote:
> > > For some reason, I can't:
> > > 000 "CONN/0x1": 10.12.3.0/24===local
> >
> > <local>[+S=C]...remote<remote>[+S=C]===
> >
> > > 10.12.0.0/24; unrouted; eroute owner: #0
> > > 000 "CONN/0x2": 10.12.3.0/24===local
> >
> > <local>[+S=C]...remote<remote>[+S=C]===
> >
> > > 10.12.1.0/24; unrouted; eroute owner: #0
> > > 000 "CONN/0x3": 10.12.3.0/24===local
> >
> > <local>[+S=C]...remote<remote>[+S=C]===
> >
> > > 10.12.2.0/24; unrouted; eroute owner: #0
> > >
> > > May be that is because left and right configs are not in sync now.
> >
> > Most likely; both sides must agree.
> >
> > Wait. Is that /16 really correct? Should rightsubnet be 10.12.0.0/22?
> > This address would encompass 10.12.0.0/24, 10.12.1.0/24, 10.12.2.0/24
> > and 10.20.3.0/24.
> >
> > That confusion aside, do you need a policy that specifically targets
> > traffic
> > between 10.12.3.0/24 and 10.12.3.0/24 so that such traffic is *not*
> > tunnelled?
> >
> > Or use KLIPS and normal routing....
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list