Hi,
our company has its own DMZ and we are hiding our servers behind some virtual
outside IP-addresses. Perhaps a picture helps:
Internet
|
|
______
| Firewall |------DMZ - Net
-----------
|
internal net
Both DMZ and internal net have private IP addresses. To recive packets for
our servers I add the following lines to my firewall script f or each server:
route add <external ip> dev <dmz if>
arp -Ds <external ip> <dmz if> pub
My VPN works fine and the ipsec0 gets the right external ip address if I
start freeswan.
But now I was experimenting with iproute2 and changed the lines above to:
ip addr add <external ip> dev <ext. if> scope link
Everything works except freeswan. If I show my ext. interface with
"ip addr show", there is the real address of my interface with scope global,
and the other (virtual ) ip adresses with the scope link. Only ifconfig does
not show the right (real) ip adress, but some other, because I added it
later to the interface.
It seems that freeswan during initialization also gets the ip address of the
external (default) interface with ifconfig and consequently binds the IPSec
stack to a virtual ip adress. Of course no VPN works with that.
Is it possible to change the freeswan code that it
1) First decides if the interfaces are set up using the ip or the ifconfig
command.
2) If is is the ifconfig command -> no change
3) If it is the ip command -> use the ip address with the global scope.
Thanks. Perhaps somebody cal tell me where to find the code and I can do my
best ...
-- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 MünchenTel: (+49 89) 456 911 50 Fax: (+49 89) 456 911 21 mob: (+49 174) 343 28 75 _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST