Hey, I have a problem. That should be fairly easily resolvable. But it isn't. The available documentation sucks. And my head hurts.
http://wiki.openswan.org/index.php/The%20Internet%20as%20a%20big%20subnet I have an office, I have a datacentre. If office accesses the internet it must not appear to come from the office. The office can appear to the internet as the datacentre. So, I thought I'd stick up a VPN with the remote subnet as 0.0.0.0/0 on the office firewall, and the local subnet as 0.0.0.0/0 on the datacentre firewall. I removed the office firewalls default route, and added a specific host route to the datacentre firewall. The VPN establishes itself fine, and openswan creates 2 new routing rules on the office firewall: 0.0.0.0 xxx.xxx.xxx.xxx 128.0.0.0 UG 0 0 0 eth2 128.0.0.0 xxx.xxx.xxx.xxx 0.0.0.0 UG 0 0 0 eth2 xxx.xxx.xxx.xxx is the office firewalls nexthop. I'm running 2.6, so no ipsecX virtual interfaces :( Now two things change. 1) I can access the internet from the office firewall, but I appear as the office, not the datacentre. Which shouldn't happen, as I removed the default route out it's own router, and set up one via the datacentre with openswan. 2) I can't access anything on it's internal interface, and machines behind it can't access it. Seems like openswan is trying to send *everything* out the internet connection. Is there anyone who can tell/show me how to create a default route over a subnet-subnet ipsec vpn, without screwing up internal access? Cheers -- Mike Williams
pgpiY38FPx3Qs.pgp
Description: PGP signature
