I discussed this briefly with Hugh Redelmeier, who suggested I send a
message to the list. (Later he suggested a resend, so blame the
listserver if it eventually dups this.)
Configuration is Roadwarrior with a bit of WLAN flavour, per the config
document; leftsubnet is the whole Internet, and rightsubnet is a single
address forwarded through the IPSEC pipe. On the laptop, that address is
bound to lo:0. Unfortunately, since there's just the one machine, it
wants to use the public gateway address (on the OLS wireless network at
the moment) as the source address for TCP connections, pings, and the
like, and I want it to use my private address so the connection uses the
encrypted tunnel.
The fix I'm using is to take the two /1 routes FreeS/WAN installs and
replacing them with exactly the same thing with "src $MYADDR" appended.
A wee bit of shell script (ip route | sed) will do it. You get:
ip route replace 0.0.0.0/1 via $RIGHTNEXTHOP dev ipsec0 src $MYADDR
ip route replace 128.0.0.0/1 via $RIGHTNEXTHOP dev ipsec0 src $MYADDR
IMHO there should be slightly better kernel support for forcing
source address selection; I've dealt with similar issues before doing
Zebra routing (in a non-IPSEC context) and it'd help to have it separated
from the routing layer and not vulnerable/tied to routing changes. Or
maybe having a FreeS/WAN option to tack "... src $MYADDR" into the routes
it installs would suffice.
-- Anthony de Boer _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST