With Linux almost anything goes, but can this be done (FreeSwan VPN using RED IF with IP of ORANGE IF)?

I am trying to replace a router and VPN box with a linux box having 3
intefaces: Red, Green, and Orange. Since I no longer will have the router,
the Linux/FreeSwan box will have to:

A. Have the Red interface connected to the public network similar to that of
the old router.

B. Perform the VPN operation of the old VPN box, but without making changes
to the "other" side of the VPN link.

This is a challenge, since the Linux/FreeSwan box will need to go out on the
Red interface with IPSEC packets formatted for the Orange interface. That
is, I want the IPSEC packets to be formatted as if they were sent out on the
Orange interface. (This to make the other side of the VPN link happy with
whom it communicates with). Second, these packets need to get an IP header,
and leave on the Red interface. I am uncertain if it is sufficient that the
VPN packet has the right look, or if also the IP header must match. That
is, the IP address of the VPN packets leaving on the Red interface must also
have the source address of the Orange interface.

I have experimented with this and found that I am having trouble having left
set to anything other than the Ip address of the interfaces in ipsec.conf.
Also, IPSEC is not happy when leftnexthop is not on the same net as left...
I have been trying to add a second Ip address to the Orange interface to
resolve the leftnexthop issue, but still no luck.

So, the bottom line is; Can I configure FreeSwan in any way such that it
uses the IP address of the Orange interface for its VPN traffic over the Red
interface?

Any suggestions would be helpful and appreciated.

AJ

With this iproute2 command it might work

ip r a IpSecOtherIp/32 dev RED src IpOrange via GwRed

IpSecOtherIp : the ip of the other end of the Ipsec
ipOrange : the Ip of the orange interface
GwRed : the gateway used on the red interface


you can also try to change the nextHop in your config to the
GwRedIp (I'm not that familiar with IpSec to know if it respects
the normal routing)

Good luck and let me kown if it works, or otherwhise what happens
with the packets you see.


"John Smith" <(E-Mail Removed)> wrote in message news:<chpkc4$7c4$(E-Mail Removed)>...
> I am trying to replace a router and VPN box with a linux box having 3
> intefaces: Red, Green, and Orange. Since I no longer will have the router,
> the Linux/FreeSwan box will have to:
>
> A. Have the Red interface connected to the public network similar to that of
> the old router.
>
> B. Perform the VPN operation of the old VPN box, but without making changes
> to the "other" side of the VPN link.
>
> This is a challenge, since the Linux/FreeSwan box will need to go out on the
> Red interface with IPSEC packets formatted for the Orange interface. That
> is, I want the IPSEC packets to be formatted as if they were sent out on the
> Orange interface. (This to make the other side of the VPN link happy with
> whom it communicates with). Second, these packets need to get an IP header,
> and leave on the Red interface. I am uncertain if it is sufficient that the
> VPN packet has the right look, or if also the IP header must match. That
> is, the IP address of the VPN packets leaving on the Red interface must also
> have the source address of the Orange interface.
>
> I have experimented with this and found that I am having trouble having left
> set to anything other than the Ip address of the interfaces in ipsec.conf.
> Also, IPSEC is not happy when leftnexthop is not on the same net as left...
> I have been trying to add a second Ip address to the Orange interface to
> resolve the leftnexthop issue, but still no luck.
>
> So, the bottom line is; Can I configure FreeSwan in any way such that it
> uses the IP address of the Orange interface for its VPN traffic over the Red
> interface?
>
> Any suggestions would be helpful and appreciated.
>
> AJ