With Linux almost anything goes, but can this be done (FreeSwan VPN using RED IF with IP of ORANGE I

Discussion in 'Linux Networking' started by John Smith, Sep 9, 2004.

  1. John Smith

    John Smith Guest

    I am trying to replace a router and VPN box with a linux box having 3
    intefaces: Red, Green, and Orange. Since I no longer will have the router,
    the Linux/FreeSwan box will have to:

    A. Have the Red interface connected to the public network similar to that of
    the old router.

    B. Perform the VPN operation of the old VPN box, but without making changes
    to the "other" side of the VPN link.

    This is a challenge, since the Linux/FreeSwan box will need to go out on the
    Red interface with IPSEC packets formatted for the Orange interface. That
    is, I want the IPSEC packets to be formatted as if they were sent out on the
    Orange interface. (This to make the other side of the VPN link happy with
    whom it communicates with). Second, these packets need to get an IP header,
    and leave on the Red interface. I am uncertain if it is sufficient that the
    VPN packet has the right look, or if also the IP header must match. That
    is, the IP address of the VPN packets leaving on the Red interface must also
    have the source address of the Orange interface.

    I have experimented with this and found that I am having trouble having left
    set to anything other than the Ip address of the interfaces in ipsec.conf.
    Also, IPSEC is not happy when leftnexthop is not on the same net as left...
    I have been trying to add a second Ip address to the Orange interface to
    resolve the leftnexthop issue, but still no luck.

    So, the bottom line is; Can I configure FreeSwan in any way such that it
    uses the IP address of the Orange interface for its VPN traffic over the Red

    Any suggestions would be helpful and appreciated.

    John Smith, Sep 9, 2004
    1. Advertisements

  2. With this iproute2 command it might work

    ip r a IpSecOtherIp/32 dev RED src IpOrange via GwRed

    IpSecOtherIp : the ip of the other end of the Ipsec
    ipOrange : the Ip of the orange interface
    GwRed : the gateway used on the red interface

    you can also try to change the nextHop in your config to the
    GwRedIp (I'm not that familiar with IpSec to know if it respects
    the normal routing)

    Good luck and let me kown if it works, or otherwhise what happens
    with the packets you see.
    Wannebee NetHacker, Sep 16, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.