LinuxQuestions.org - Help!! IPSEC routing!

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Help!! IPSEC routing! (https://www.linuxquestions.org/questions/linux-networking-3/help-ipsec-routing-4175426563/)

Help!! IPSEC routing!

Hi all!
I hope you can help me with this problem.

I have this working ipsec connection in my Debian server:

####
conn TEST_1
type=tunnel
auto=start
auth=esp
authby=secret
pfs=no
left=192.168.2.1
leftid=201.XX.XX.XXX
leftnexthop=192.168.2.254
leftsubnet=192.168.1.0/24
right=200.250.XXX.XXX
rightsubnet=10.101.4.0/22
# Fase 01
keyexchange=ike
ike=aes128-sha1-modp1024
ikelifetime=7200s
# Fase 02
esp=aes128-sha1
keylife=7200s
rekey=yes
keyingtries=%forever
####

I can ping normally the hosts on 10.101.4.0/22 segment.
But now i have to ping other host => 10.143.6.188, at the 10.143.4.0/22 segment.

It is in the same Tunnel, i need to add a route, right?

How can i do this?

**Its a Debian OS with shorewall and OpenSwan.

Thank you!

But it's not in the same tunnel, as the tunnel definition doesn't cover the 10.143.4.0/22 network.

No matter what routes you add, the only traffic that will ever go through an IPsec tunnel, is the traffic matching the source and destination IPs of the tunnel definition. You need to create another tunnel or change the rightsubnet definition to cover both networks.

Thanks for your reply,

ok, I understood.
But, what do you suggest me to do?
And, if i change the rightsubnet to cover all ips that i need, wich mask i need to put in the rightsubnet?

Thank´s!

The smallest subnet mask to cover both 10.101 and 10.143 is /8. Personally, I'd create a second tunnel.

Ok but, i need to put something like 10.101.4.0/8?
Sorry about the newbie question, but i dont know nothing about subnets.

Thanks again.

No, you would need to enter 10.0.0.0/8, which would cover all the 16.78 million IP addresses in the 10.x.x.x range.