[plug] IPSEC routing between adjacent subnets

Steve Baker steve at iinet.net.au
Sun May 13 12:43:07 WST 2007 

Hi Bogdan,

To solve my particular problem, I created a new host (Gateway V) inside 
the .100 network, then created an ip-ip tunnel between gateways V and Z, 
and set the relevant routing rules on the adjacent gateway hosts.

Where I had gone wrong in my initial attempts was assigning incorrect 
addresses to the tunnel endpoints: I assigned addresses at each end that 
were part of the network they were tunneling between, whereas I should 
have assigned addresses from a completely different network.  I fixed 
this by creating the tunnel and assigning addresses 10.0.0.1 (at the V 
end) and 10.0.0.2 (Z end) to the tunnel interfaces, then told gateway V 
that 10.0.0.2 was the gateway to .86.0, and told gateway Z that 10.0.0.1 
was the gateway for .100.0.

Confusing, I know.  I probably could have set up the tunnel on Gateway X 
instead of creating a new gateway V inside the .100.0 network, but X is 
already a gateway to 3 other networks and I didn't want to risk getting 
something wrong and being unable to fix it remotely.

The IPSec tunnel part I already had working, it has been going for 
almost 12 months.  I'm using IPCop on one end and OpenS/WAN on the 
other, and using X.509 certificates.  The IPCop part Just Works, once 
you figure out how it wants the certificates to be set up.  The 
OpenS/WAN end is pretty easy too.  The only hard part I had was with 
getting the Shorewall configuration at the OpenSWAN end going - you need 
to set up correct information in each of the shorewall config files 
(including zones, tunnels, hosts, and of course rules).

Good luck, if you need any other specific info I'll try to help.

Regards,
Steve


Bogdan Mutziu wrote:
> Hello Plug,
>
> It's my first post here and I hope I will get help from you.
>
> I am a sysadmin at Electronic Arts Romania and I am facing the same
> problem that Steve Baker mentioned in the "How to get sub-subnet to
> talk" post on 1st May this year.
>
> Basically, I quote:
>
> "    (Point A)                (Gateway X)
>
> 192.168.100.0/24 --- 192.168.100.254/internet <--- (ipsec tunnel) ---
>
>                  (Gateway Y)
>        ---> internet/192.168.140.254 <-- 192.168.140.0/24 ---
>                           (Gateway Z)                (Point B)
>             --- 192.168.140.252/192.168.86.254 --- 192.168.86.0/24
>
>
> (Hope that is clear...)
>
> The question: *How do I route packets from Point A to Point B?* "
>
> Mainly I hope that Steve will reply this :)
>
> Many thanks and best regards,
>
> Bogdan Mutiu
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>

More information about the plug mailing list