Freeswan and loopback interface

Hi all!

I'm trying to solve without success the following problem:

Scenario:

I've got a linux appliance behind an adsl router.
I user a private /30 to connect the router to the appliance
to save IP addresses. The router does only routing no nat.

| lo:1 public ip1 int adsl: public ip2
|----Linux appliance---------------ADSL router--------
| eth0:192.168.0.1 eth:192.168.0.2
private net 10.0.0.0/16

In this way I use only 2 pubblic IP addresses.
Don't tell me to use an ADSL interface on the appliance:
I can't.

Problem:

I want to set up a IPSec tunnel in between two appliance.

The problem is that I must use public ip1 as "right"
but freeswan cannot set routing because the nexthop is not
on the same net specified by lo:1 (that is by the way configured
with netmask 255.255.255.255)

it tries to add a route for the remote network in this way:
route add -net remote netmask remotemask dev ipsec0 gw 192.168.0.2

but it obviously fail because that is not correct
(I configured interface="ipsec0=lo:1")

Has anyone any suggestion?

Thanks!!
Paolo

On 5 May 2004 07:43:25 -0700, Paolo <(E-Mail Removed)> wrote:
> Hi all!
>
> I'm trying to solve without success the following problem:
>
> Scenario:
>
> I've got a linux appliance behind an adsl router.
> I user a private /30 to connect the router to the appliance
> to save IP addresses. The router does only routing no nat.
>
>| lo:1 public ip1 int adsl: public ip2
>|----Linux appliance---------------ADSL router--------
>| eth0:192.168.0.1 eth:192.168.0.2
> private net 10.0.0.0/16
>
> In this way I use only 2 pubblic IP addresses.
> Don't tell me to use an ADSL interface on the appliance:
> I can't.
>
> Problem:
>
> I want to set up a IPSec tunnel in between two appliance.
>
> The problem is that I must use public ip1 as "right"
> but freeswan cannot set routing because the nexthop is not
> on the same net specified by lo:1 (that is by the way configured
> with netmask 255.255.255.255)

I do not understand how you can have a public IP on a "lo" (loopback)
interface, since that just loops back to you.

> it tries to add a route for the remote network in this way:
> route add -net remote netmask remotemask dev ipsec0 gw 192.168.0.2

Probably because that (default route) is the only route available that
could lead to whatever you are attempting to connect to. I imagine you
should be using eth0:0 for public ip1 (assuming your router knows to route
that IP to you).

> but it obviously fail because that is not correct
> (I configured interface="ipsec0=lo:1")
>
> Has anyone any suggestion?

Ipsec has to tunnel over a real reachable route, and lo has no route out
of your box.

--
David Efflandt - All spam ignored http://www.de-srv.com/

(E-Mail Removed) (David Efflandt) wrote in message news:<(E-Mail Removed)>...
> On 5 May 2004 07:43:25 -0700, Paolo <(E-Mail Removed)> wrote:
> > Hi all!
> >
> > I'm trying to solve without success the following problem:
> >
> > Scenario:
> >
> > I've got a linux appliance behind an adsl router.
> > I user a private /30 to connect the router to the appliance
> > to save IP addresses. The router does only routing no nat.
> >
> >| lo:1 public ip1 int adsl: public ip2
> >|----Linux appliance---------------ADSL router--------
> >| eth0:192.168.0.1 eth:192.168.0.2
> > private net 10.0.0.0/16
> >
> > In this way I use only 2 pubblic IP addresses.
> > Don't tell me to use an ADSL interface on the appliance:
> > I can't.
> >
> > Problem:
> >
> > I want to set up a IPSec tunnel in between two appliance.
> >
> > The problem is that I must use public ip1 as "right"
> > but freeswan cannot set routing because the nexthop is not
> > on the same net specified by lo:1 (that is by the way configured
> > with netmask 255.255.255.255)
>
> I do not understand how you can have a public IP on a "lo" (loopback)
> interface, since that just loops back to you.

It's a tecnique that is often used in routers. It helps you to make
your router reacheable indipendently of wich interfaces is active.
In fact as soon as your router/linux box gets a packet that match a
local ip (also on a loopback!) it consider it "local" traffic and
pass it to upper layer protocols...

> > it tries to add a route for the remote network in this way:
> > route add -net remote netmask remotemask dev ipsec0 gw 192.168.0.2
>
> Probably because that (default route) is the only route available that
> could lead to whatever you are attempting to connect to. I imagine you
> should be using eth0:0 for public ip1 (assuming your router knows to route
> that IP to you).

I've tried what you suggest. I doesn't work for the same reason.
I've assigned ip1 to eth0:0 with /32 netmask. The route command
fails once again because the gateway 192.168.0.2 is not on the same
network as the one implicitly defined by eth0:0 (ip1/32).

Argh!!!

Thanks for your help
Paolo

> > but it obviously fail because that is not correct
> > (I configured interface="ipsec0=lo:1")
> >
> > Has anyone any suggestion?
>
> Ipsec has to tunnel over a real reachable route, and lo has no route out
> of your box.