> I have a Dachstein LRP with this routing table: > > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 10.50.50.0 68.2.2.1 255.255.255.0 UG 0 0 > 0 ipsec0 > 192.168.38.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 > 68.2.2.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth0 > 68.2.2.0 0.0.0.0 255.255.252.0 U 0 0 > 0 ipsec0 > 0.0.0.0 68.2.2.1 0.0.0.0 UG 0 0 0 eth0 > > The subnet 10.50.50.0/24 on the right-hand side of the IPSec tunnel has a > hub router at 10.50.50.1 that has routes to the other VPN subnets. My '38 > network is one of the spokes of a hub & spoke topology. > > I'd like to add a single static route here (left-hand side, spoke end) and > be able to reach the far-flung spoke networks via the hub router at > 10.50.50.1 (e.g., those up-state wahoos over on the 192.168.4.0/24 > spoke). So I tried: > > # route add -net 192.168.0.0 netmask 255.255.0.0 gw 10.50.50.1 > SIOCADDRT: Network is unreachable > > Unfortunately, I cannot ping hosts in 10.50.50.0/24 from the LRP, although > I can ping any host in 10.50.50.0/24 from another host in my '38 network. > > How might I be able to configure my spoke, and the other spokes, to use the > hub router?
Remember only traffic explicitly specified in the IPSec connections will be able to go through the ipsec tunnel. Since your IPSec tunnel is apparently between the 192.168.38.0/24 and 10.50.50.0/24 subnets, only traffic matching these IP's for source/destination will pass through the subnet-subnet IPSec tunnel. If you have additional subnets on the far side of the router, you will need to create additional connection descriptions for them, or suitably "widen" the [left|right]subnet declaration in your existing connection description. As is usual in networking, proper planning of subnet addressing can significantly reduce the complexity of your routing (and IPSec connection) configuration. More details are available in the FreeS/WAN Documentation: http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/adv_config.html# otherconf I believe the "tunnels are cheap" example describes your problem exactly... NOTE: Link is from the current snapshot tree, since the release tree documentation seems to have gone walk-about. Actual docs from the Dachstein release of FreeS/WAN can be found here: http://leaf.sourceforge.net/devel/cstein/Packages/man/IPSec1.91/index.ht ml ...but the later docs are generally more complete and useful. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html