[plug] Advanced IPSec routing
steve at iinet.net.au
Mon Oct 10 12:34:39 WST 2011
I have an IPSec tunnel set up between network A / gateway B and gateway
C / network D. I can route traffic over the tunnel between systems on
networks A and D, so the IPSec side and firewall rules are all OK.
I'm in charge of network A and can control gateway B (a linux box, IP
address A.A.A.254). The other side belongs to someone else.
The problem I have is that there is another network E behind network D,
and I need to contact systems on that network. I have added a static
route to gateway B, using "route add -net E.E.E.0/24 gw D.D.D.253", and
this has added the correct routing rule. However I can't get packets to
systems on network E, they are getting stuck at my gateway B.
I think that the problem is that B decides that packets going to network
E do not go through an IPSec tunnel (as E is not connected to the
gateway B system, directly or via IPSec) then by the time the new
routing rule above says 'send it to gateway C' it is too late to go
through any IPSec tunnels.
The 'ip route' command shows: (edited)
A.A.A.0/24 dev eth2 proto kernel scope link src A.A.A.254
E.E.E.0/24 via D.D.D.253 dev eth0
D.D.D.0/24 dev eth0 scope link src A.A.A.254
dev eth0 is the external interface, and packets to E should go out
there, but through the IPSec tunnel to gateway C / network D. Do I
somehow need to get the E.E.E.0 rule to be a 'scope link' routing rule?
Is there a way to get the routing via C to happen before it decides
whether to go through a tunnel, or to re-evaluate the target interface
after routing rules are applied?
More information about the plug