Re: Public subnet extrusion
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Il 24/02/2012 16:52, Paul Wouters ha scritto: > That is partially because the NETKEY IPsec stack is being retarded. For > netkey, tunneling 0.0.0.0/0 means tunnel everything, including LAN > traffic and the remote vpn IP. You might need to make a passthrough > route to avoid that, though that's difficult on roadwarriors as it > changes all the time. > > Your best bet is to leave the tunnel without sourceip= settings and then > using "ip route" and "ip rule" tricks to "prefer" the new IP as the > default for some traffic (eg port 80) > > An easier solution is probably to just use L2TP/IPsec, where the remote > gives you the 220.127.116.11 IP and the pppd deals with the routing and > traffic preferences for you. > > Paul Hi,I really don't understand how the hell it does work. If I don't use "leftsourceip", it doesn't tunnel anything despite rightsubnet=0.0.0.0/0! Also, without nat it does work (nearly) flawlessly! Here is the working configuration without nat:
Server A: eth0 18.104.22.168/24 (network 22.214.171.124/24) (PUBLIC) eth1 172.16.1.1/16 (network 172.16.0.0/16) (PRIVATE) eth2 126.96.36.199/32 (PUBLIC) conn server1-server2 authby=rsasig left=188.8.131.52 leftsubnet=0.0.0.0/0 leftrsasigkey= right=184.108.40.206 rightsubnet=172.16.0.0/24 rightid=@server2 rightrsasigkey= type=tunnel auto=add Server B: eth0 220.127.116.11/24 (network 18.104.22.168/24) (PUBLIC) eth1 172.16.0.1/24 (network 172.16.0.0/24) (PRIVATE) conn server1-server2 authby=rsasig left=22.214.171.124 leftsubnet=172.16.0.0/24 leftsourceip=172.16.0.1 leftid=@server2 leftrsasigkey= right=126.96.36.199 rightsubnet=0.0.0.0/0 rightrsasigkey= type=tunnel auto=startServer A does NAT outgoing connections from 172.16.1.1/24 on IP 188.8.131.52 and server B does surf the web with that ip. The strange thing is that server B does not tunnel the traffic toward 184.108.40.206/24 despite rightsubnet=0.0.0.0/0! Also the traffic toward 220.127.116.11/24 does origin from ip 18.104.22.168 despite leftsourceip=172.16.0.1!
Please someone explain how the hell does it work, I even bought your openswan book but it just explains the basics and not how stuff is really implemented.
At least it doesn't crash the whole system now: http://marc.info/?l=linux-netdev&m=133000782209351&w=2 :(
Thanks, Niccolò P.S. I use Debian Squeeze amd64 on both machines. -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html