Re: Public subnet extrusion

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Il 24/02/2012 16:52, Paul Wouters ha scritto:
> That is partially because the NETKEY IPsec stack is being retarded. For
> netkey, tunneling 0.0.0.0/0 means tunnel everything, including LAN
> traffic and the remote vpn IP. You might need to make a passthrough
> route to avoid that, though that's difficult on roadwarriors as it
> changes all the time.
>
> Your best bet is to leave the tunnel without sourceip= settings and then
> using "ip route" and "ip rule" tricks to "prefer" the new IP as the
> default for some traffic (eg port 80)
>
> An easier solution is probably to just use L2TP/IPsec, where the remote
> gives you the 5.5.5.100 IP and the pppd deals with the routing and
> traffic preferences for you.
>
> Paul

Hi,
I really don't understand how the hell it does work. If I don't use "leftsourceip", it doesn't tunnel anything despite rightsubnet=0.0.0.0/0! Also, without nat it does work (nearly) flawlessly! Here is the working configuration without nat: 


Server A:
eth0 5.5.5.1/24 (network 5.5.5.0/24) (PUBLIC)
eth1 172.16.1.1/16 (network 172.16.0.0/16) (PRIVATE)
eth2 6.6.6.1/32 (PUBLIC)
conn server1-server2
        authby=rsasig
        left=5.5.5.1
        leftsubnet=0.0.0.0/0
        leftrsasigkey=
        right=5.5.5.2
        rightsubnet=172.16.0.0/24
        rightid=@server2
        rightrsasigkey=
        type=tunnel
        auto=add

Server B:
eth0 5.5.5.2/24 (network 5.5.5.0/24) (PUBLIC)
eth1 172.16.0.1/24 (network 172.16.0.0/24) (PRIVATE)
conn server1-server2
        authby=rsasig
        left=5.5.5.2
        leftsubnet=172.16.0.0/24
        leftsourceip=172.16.0.1
        leftid=@server2
        leftrsasigkey=
        right=5.5.5.1
        rightsubnet=0.0.0.0/0
        rightrsasigkey=
        type=tunnel
        auto=start
Server A does NAT outgoing connections from 172.16.1.1/24 on IP 6.6.6.1 and server B does surf the web with that ip. The strange thing is that server B does not tunnel the traffic toward 5.5.5.0/24 despite rightsubnet=0.0.0.0/0! Also the traffic toward 5.5.5.0/24 does origin from ip 5.5.5.2 despite leftsourceip=172.16.0.1!
Please someone explain how the hell does it work, I even bought your openswan book but it just explains the basics and not how stuff is really implemented.
At least it doesn't crash the whole system now: http://marc.info/?l=linux-netdev&m=133000782209351&w=2 :( 

Thanks,
Niccolò

P.S.
I use Debian Squeeze amd64 on both machines.
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux