Herbert Xu wrote:
Marco Berizzi <[EMAIL PROTECTED]> wrote:
>
> 172.16.0.0/23 dev eth2 proto kernel scope link src 172.16.1.1
> 10.180.0.0/16 via 172.16.1.253 dev eth2
> 10.0.0.0/8 via pub_ip dev eth0
> 127.0.0.0/8 dev lo scope link
>
> I have noticed that packets for 10.180.0.0/16 network
> are eaten by the ipsec tunnel because the policy allow
> them. Is there a way to deliver packets for 10.180.0.0
> network to the 172.16.1.253 router (because the route
> to 10.180.0.0 is more specific than 10.0.0.0/8)?
You need an IPsec pass action. With Openswan you can do it with
something like
conn pass
left=%defaultroute
# This should be the leftsubnet of your 10.0.0.0/8 connection.
leftsubnet=0.0.0.0/0
# This field doesn't really matter.
right=172.16.1.253
rightsubnet=10.180.0.0/16
type=passthrough
authby=never
auto=route
Thanks for the tip Herbert.
Ok I have inserted this section in openswan init
file (ipsec.conf)
conn pass
left=172.16.1.1
leftsubnet=172.16.0.0/23
right=172.16.1.253
rightsubnet=10.180.0./16
type=passthrough
authby=never
auto=route
After running 'ipsec auto --add pass && ipsec auto
--route pass' openswan has eaten my static route
inserted by hand:
route add -net 10.180.0.0/16 gw 172.16.1.253
Here is 'ip r s' output after 'ipsec auto --route
pass':
172.16.0.0/23 dev eth2 proto kernel scope link src 172.16.1.1
10.180.0.0/16 dev eth2 scope link
All if fine now. It isn't even needed anymore to
insert the static route now, as it is placed by
openswan. My question is how linux understand that
it should send packets for 10.180.0.0/24 to the
172.16.1.253 router.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
