[Users] Routing beyond FreeS/WAN subnet

From: Ashant Chalasani (ashant_at_chalasani.de)
Date: Fri Oct 04 2002 - 21:25:15 CEST

• Next message: Thing: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Previous message: Andreas Steffen: "Re: [Users] is this a bug ? certificates are (not valid yet) but gateway is s till working."
• Next in thread: Thing: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Reply: Thing: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Reply: John A. Sullivan III: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Maybe reply: John A. Sullivan III: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Reply: Ken Bantoft: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

As a newbie into the IPSEC community, I am trying to create an IPSEC'd WLAN
subnet, ie. a WLAN where the wireless medium is encrypted (FreeS/WAN
U1.98b/K1.91 and SSH Sentinel 1.2 client). The remainder of the network has
nothing to do with IPSEC, so once traffic leaves the WLAN, it is not
encrypted any more. It looks like...

10.x.x.x (cable network, never had to know anymore about it)
        |
192.168.11.254 (LRP router)
        |
192.168.11.0/24
        |
192.168.12.254 (FreeS/WAN gateway)
        |
192.168.12.200 (SSH Sentinel 1.2 client)

One the traffic goes upward of the 192.168.12.254 gateway, it need not be
encrypted. As long as traffic is within 192.168.12.0/24, it is in the
wireless medium and must be encrypted.

I can establish tunnels between the freeS/WAN gateway and the Sentinel 1.2
clients, but am not able to route beyond. ex., can't ping 192.168.11.254 or
the DNS server on the 10.x.x.x cable network.

The routing table on freeS/WAN gateway reveals more:

greece2k4:/etc # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.12.200 192.168.12.200 255.255.255.255 UGH 0 0 0 ipsec0
192.168.12.0 * 255.255.255.0 U 0 0 0 eth1
192.168.12.0 * 255.255.255.0 U 0 0 0 ipsec0
192.168.11.0 * 255.255.255.0 U 0 0 0 eth0
default 192.168.11.254 0.0.0.0 UG 0 0 0 eth0

Would anyone have an explaination as to how I can get traffic to route beyond
the FreeS/WAN gateway. BTW: my ipsec.conf is as follows.

# basic configuration
config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=all
        plutoload=%search
        plutostart=%search

# defaults that apply to all connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # How to authenticate gatways

### The config below this is repeated for as many subnets as you want to
### protect. I include this from a file - one per client.
### leftnexthop=192.168.11.254

conn Wireless_Client_200
        left=192.168.12.254 ### The gateway
        leftsubnet=192.168.12.0/24
        leftfirewall=yes
        right=192.168.12.200 ### The remote client
        auto=add
        keyexchange=ike
        pfs=yes
        rekeymargin=9m
        rekeyfuzz=25%
        keyingtries=1
        authby=secret

Thanks much in advance,
Ashant

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Thing: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Previous message: Andreas Steffen: "Re: [Users] is this a bug ? certificates are (not valid yet) but gateway is s till working."
• Next in thread: Thing: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Reply: Thing: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Reply: John A. Sullivan III: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Maybe reply: John A. Sullivan III: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Reply: Ken Bantoft: "Re: [Users] Routing beyond FreeS/WAN subnet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sat Oct 05 2002 - 05:20:20 CEST