# Static Route through IPSec/Racoon?

## Moreaulf

Hi!

I have a Gentoo Server running the Racoon Service communicating via IPSec to another host.

On the remote side there is a network that I should be able to communicate with through the VPN tunnel. So, I guess I have to make a route to this network through the remote server as the gateway. I'm not sure the correct way is to add a static route but it seems logical to do it this way. There might be a "better" way using the ipsec.conf but I haven't been able to master that information...

I tried to setup a static route but for some reason I'm getting this as a result on everything other than my own SUBNET as Gateway:

```
root ~ $ route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.1.50

SIOCADDRT: No such process

root ~ $
```

(this example is taken from the HOWTO add a static route on gentoo-wiki - it doesn't matter what I have as the net nor gw setting if the gw setting is not in the servers subnet). SIOCADDRT says there is a problem with the ADD RouTe but nothing more. Haven't found a solution for that either.

Does someone here know if a static route is the way to go or if I should be using some configuration settings in IPSec.conf, and in this case what they should be like?

Here's my setup:

/etc/conf.d/racoon

```

RACOON_OPTS="-4 -l /var/log/racoon.log"

RACOON_CONF="/etc/racoon/racoon.conf"

RACOON_PSK_FILE="/etc/racoon/psk.txt"

SETKEY_CONF="/etc/ipsec.conf"

RACOON_RESET_TABLES="true"
```

/etc/ipsec.conf

```
#!/usr/sbin/setkey -f

flush;

spdflush;

add HOST1 HOST2 ah 0x200 -A hmac-md5

0x88dfd37ce0d4b0641f3c14fa9197301c;

add HOST2 HOST1 ah 0x300 -A hmac-md5

0x91bc25a6e4c1e8e592bd9d2cbd09ff0b;

add HOST1 HOST2 esp 0x201 -E rijndael-cbc

0x61272157401bf304177fa8ac0c38de4095992d06c0499cf7;

add HOST2 HOST1 esp 0x301 -E rijndael-cbc

0x49fce5b82ff7acc4d6aded691a0f5f9a65e18861ad4b66bf;

spdadd HOST1 HOST2 any -P out ipsec

       esp/transport//require

       ah/transport//require;

spdadd HOST2 HOST1 any -P in ipsec

       esp/transport//require

       ah/transport//require;
```

/etc/racoon/racoon.conf

```
path pre_shared_key "/etc/racoon/psk.txt";

log debug2;

listen {

        isakmp HOST1;

        strict_address;

}

remote anonymous {

        exchange_mode main;

        my_identifier address HOST1;

        lifetime time 24 hour;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                lifetime time 1 hour;

                dh_group 2;

        }

}

sainfo anonymous {

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

        lifetime time 1 hour;

}
```

Many thanks in advance!

/Thomas

----------

## Moreaulf

I'm not sure if it's allowed to bump a thread here at gentoo forums so excuse me if it's not.

I haven't found a solution for this problem I have. Does anybody know how to setup a route through a IPSec connection?

Thank you for reading!

/Thomas

----------

## linuxtuxhellsinki

I thought that netmask should be /32 with VPNs, so something like...

```
route add -net 212.183.125.248 netmask 255.255.255.255 dev ipsec0 gw 212.183.125.248
```

Just my 2 cents ?

And there was some old info at http://www.cs.helsinki.fi/u/mikkila/docs/linux-avaya-vsu.html

----------

## Moreaulf

I'm getting this error almost no matter which route add command I try:

```
SIOCADDRT: No such device
```

No idea why  :Sad: 

----------

## think4urs11

try using the device your VPN connection uses as next hop, like 

```
route add -net 10.0.0.0 netmask 255.255.255.0 dev eth1
```

----------

## Moreaulf

This command works all right:

```
route add -net 10.0.0.0 netmask 255.255.255.0 dev eth0
```

This is the table I have now, maybe I need "closer" routes to setup a route like the one I need?

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

[PUBLIC IP]     *               255.255.255.128 U     0      0        0 eth0

10.0.0.0        *               255.255.255.0   U     0      0        0 eth0

loopback        *               255.0.0.0       U     0      0        0 lo

default         rtr-sharedcolo. 0.0.0.0         UG    0      0        0 eth0
```

I still cannot make this command:

```
root ~ $ route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.1.50

SIOCADDRT: No such process

root ~ $
```

What I really want is to setup a route through the VPN which is tunneled to a public IP. Through this IP I should be able to reach another server.

Thanks!

/Thomas

----------

