[Cialug] IPSec network routing
Dave Weis
djweis at sjdjweis.com
Fri Jul 10 21:16:25 UTC 2020
There's a couple parts you need to worry about. The local and far end need
to agree on which subnets are sent via the tunnel and you need to have your
routing table send via the tunnel.
On top of that, you'll have to make sure your iptables config allows the
traffic you want.
Dave
On Fri, Jul 10, 2020, 3:25 PM Mike Hughes <mike at visionary.com> wrote:
> Hi LUGers,
>
> We manage an IPSec connection between vendors over public IP space. The
> question I have is: Is it necessary to specify the route for each IP
> address, or will the firewall figure it out?
>
> Our existing tunnels, which are operational, have routes defined in the OS
> such as:
> #EEE
> 204.135.40.77 via 192.168.2.1 src 192.168.2.220
> #PPP
> 10.76.48.240 via 192.168.2.1 src 192.168.2.221
> #AAA
> 204.135.219.241 via 192.168.2.1 src 192.168.2.46
>
> The above are defined within route-device files named:
> route-enp5s0:220
> route-enp5s0:221
> route-enp5s0:46
>
> which correspond to network device definition files such as:
> ifcfg-enp5s0:220
> ifcfg-enp5s0:221
> ifcfg-enp5s0:46
>
> The routing table looks like this:
> [Cent-7:mike at myserver ~]$ route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 0.0.0.0 192.168.2.1 0.0.0.0 UG 100 0 0
> enp5s0
> 10.76.48.240 192.168.2.1 255.255.255.255 UGH 0 0 0
> enp5s0
> 192.168.2.0 0.0.0.0 255.255.255.0 U 100 0 0
> enp5s0
> 234.123.45.77 192.168.2.1 255.255.255.255 UGH 0 0 0
> enp5s0
> 123.123.243.241 192.168.2.1 255.255.255.255 UGH 0 0 0
> enp5s0
>
> Was all this necessary? Or will the routes defined within the firewall
> take care of this?
>
> Thanks!
>
> Mike
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>
More information about the Cialug
mailing list