[plug] IPSEC routing between adjacent subnets

Bogdan Mutziu bmutziu at gmail.com
Wed May 16 15:44:23 WST 2007 

Hello Steve,

First of all thanks for your prompt and detailed answer :)

The IPSEC part was already setup by means of racoon and a Juniper
router. I have made a functional tunnel and now I must wait for
permissions on the Juniper side to route me the 10.1.1.1 tunnel
address through the requested destination network.

Hope I didn't miss anything...

Best regards,

Bogdan

On 5/13/07, Steve Baker <steve at iinet.net.au> wrote:
>
> Hi Bogdan,
>
> To solve my particular problem, I created a new host (Gateway V) inside
> the .100 network, then created an ip-ip tunnel between gateways V and Z,
> and set the relevant routing rules on the adjacent gateway hosts.
>
> Where I had gone wrong in my initial attempts was assigning incorrect
> addresses to the tunnel endpoints: I assigned addresses at each end that
> were part of the network they were tunneling between, whereas I should
> have assigned addresses from a completely different network.  I fixed
> this by creating the tunnel and assigning addresses 10.0.0.1 (at the V
> end) and 10.0.0.2 (Z end) to the tunnel interfaces, then told gateway V
> that 10.0.0.2 was the gateway to .86.0, and told gateway Z that 10.0.0.1
> was the gateway for .100.0.
>
> Confusing, I know.  I probably could have set up the tunnel on Gateway X
> instead of creating a new gateway V inside the .100.0 network, but X is
> already a gateway to 3 other networks and I didn't want to risk getting
> something wrong and being unable to fix it remotely.
>
> The IPSec tunnel part I already had working, it has been going for
> almost 12 months.  I'm using IPCop on one end and OpenS/WAN on the
> other, and using X.509 certificates.  The IPCop part Just Works, once
> you figure out how it wants the certificates to be set up.  The
> OpenS/WAN end is pretty easy too.  The only hard part I had was with
> getting the Shorewall configuration at the OpenSWAN end going - you need
> to set up correct information in each of the shorewall config files
> (including zones, tunnels, hosts, and of course rules).
>
> Good luck, if you need any other specific info I'll try to help.
>
> Regards,
> Steve
>
>
> Bogdan Mutziu wrote:
> > Hello Plug,
> >
> > It's my first post here and I hope I will get help from you.
> >
> > I am a sysadmin at Electronic Arts Romania and I am facing the same
> > problem that Steve Baker mentioned in the "How to get sub-subnet to
> > talk" post on 1st May this year.
> >
> > Basically, I quote:
> >
> > "    (Point A)                (Gateway X)
> >
> > 192.168.100.0/24 --- 192.168.100.254/internet <--- (ipsec tunnel) ---
> >
> >                  (Gateway Y)
> >        ---> internet/192.168.140.254 <-- 192.168.140.0/24 ---
> >                           (Gateway Z)                (Point B)
> >             --- 192.168.140.252/192.168.86.254 --- 192.168.86.0/24
> >
> >
> > (Hope that is clear...)
> >
> > The question: *How do I route packets from Point A to Point B?* "
> >
> > Mainly I hope that Steve will reply this :)
> >
> > Many thanks and best regards,
> >
> > Bogdan Mutiu
> > _______________________________________________
> > PLUG discussion list: plug at plug.org.au
> > http://www.plug.org.au/mailman/listinfo/plug
> > Committee e-mail: committee at plug.linux.org.au
> >
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>

More information about the plug mailing list