[plug] Advanced IPSec routing

Steve Baker steve at iinet.net.au
Mon Oct 10 12:34:39 WST 2011


I have an IPSec tunnel set up between network A / gateway B and gateway 
C / network D. I can route traffic over the tunnel between systems on 
networks A and D, so the IPSec side and firewall rules are all OK.

I'm in charge of network A and can control gateway B (a linux box, IP 
address A.A.A.254). The other side belongs to someone else.

The problem I have is that there is another network E behind network D, 
and I need to contact systems on that network. I have added a static 
route to gateway B, using "route add -net E.E.E.0/24 gw D.D.D.253", and 
this has added the correct routing rule. However I can't get packets to 
systems on network E, they are getting stuck at my gateway B.

I think that the problem is that B decides that packets going to network 
E do not go through an IPSec tunnel (as E is not connected to the 
gateway B system, directly or via IPSec) then by the time the new 
routing rule above says 'send it to gateway C' it is too late to go 
through any IPSec tunnels.

The 'ip route' command shows: (edited)
     A.A.A.0/24 dev eth2  proto kernel  scope link  src A.A.A.254
     E.E.E.0/24 via D.D.D.253 dev eth0
     D.D.D.0/24 dev eth0  scope link  src A.A.A.254

dev eth0 is the external interface, and packets to E should go out 
there, but through the IPSec tunnel to gateway C / network D. Do I 
somehow need to get the E.E.E.0 rule to be a 'scope link' routing rule? 
Is there a way to get the routing via C to happen before it decides 
whether to go through a tunnel, or to re-evaluate the target interface 
after routing rules are applied?

Any ideas?


More information about the plug mailing list