Help!! IPSEC routing!
Hi all!
I hope you can help me with this problem. I have this working ipsec connection in my Debian server: #### conn TEST_1 type=tunnel auto=start auth=esp authby=secret pfs=no left=192.168.2.1 leftid=201.XX.XX.XXX leftnexthop=192.168.2.254 leftsubnet=192.168.1.0/24 right=200.250.XXX.XXX rightsubnet=10.101.4.0/22 # Fase 01 keyexchange=ike ike=aes128-sha1-modp1024 ikelifetime=7200s # Fase 02 esp=aes128-sha1 keylife=7200s rekey=yes keyingtries=%forever #### I can ping normally the hosts on 10.101.4.0/22 segment. But now i have to ping other host => 10.143.6.188, at the 10.143.4.0/22 segment. It is in the same Tunnel, i need to add a route, right? How can i do this? **Its a Debian OS with shorewall and OpenSwan. Thank you! |
But it's not in the same tunnel, as the tunnel definition doesn't cover the 10.143.4.0/22 network.
No matter what routes you add, the only traffic that will ever go through an IPsec tunnel, is the traffic matching the source and destination IPs of the tunnel definition. You need to create another tunnel or change the rightsubnet definition to cover both networks. |
Thanks for your reply,
ok, I understood. But, what do you suggest me to do? And, if i change the rightsubnet to cover all ips that i need, wich mask i need to put in the rightsubnet? Thank´s! |
The smallest subnet mask to cover both 10.101 and 10.143 is /8. Personally, I'd create a second tunnel.
|
Ok but, i need to put something like 10.101.4.0/8?
Sorry about the newbie question, but i dont know nothing about subnets. Thanks again. |
No, you would need to enter 10.0.0.0/8, which would cover all the 16.78 million IP addresses in the 10.x.x.x range.
|
All times are GMT -5. The time now is 11:09 PM. |