route and IPSec

[Anton Maksimenkov <engineer_(_at_)_hlebprom_(_dot_)_ru>]

Hi.

 Some time ago I make work IPSec (isakmpd). Network grow and now I got some 
"star" topology. There are some "central" network (172.16.7.0/24) and "remote" 
networks (172.16.9.0/24, 172.16.10.0/24 and some), each connected to "central" 
network by IPSec tunnels througth Internet.
 So I have state: from 172.16.7.x it can be achieved all "others" 
(172.16.9.x, 172.16.10.x...), and from any "other" it can be achieved 
172.16.7.x. I add routes

on 7# route add -net 172.16.9.0/24 172.16.7.1
on 7# route add -net 172.16.10.0/24 172.16.7.1
on 9# route add -net 172.16.7.0/24 172.16.9.1
on 10# route add -net 172.16.7.0/24 172.16.10.1

and it also possible to communicate from gate to gate (on which isakmpd's run).

 But now required some improvements. I need to communicate between 
"others"... I.E. from 172.16.10.x must be reachable 172.16.9.x and so on. 
First I think that it must work through "central" gate (172.16.7.1 in local net).
When I try to add route like this:

on 10# route add -net 172.16.9.0/24 172.16.7.1
writing to routing socket: No such process
add net 172.16.9.0: gateway 172.16.7.1: not in table

that's not work. Can anyone explain me what's wrong?

I read example /usr/share/ipsec/isakmpd/VPN-3way-template.conf, and make pair 
of "others" to communicate with it. But this way not so pretty when there are 
10 gateways and, after adding 1 more, isakmpd.conf's need to be updated on 10 
machines... With careful...

I think if something like this (currently not work...):

on 10# route add -net 172.16.0.0/16 172.16.7.1
writing to routing socket: No such process
add net 172.16.0.0: gateway 172.16.7.1: not in table

will work on all "others", I can forget about "others" and put my attention on 
"central" only.

Any ideas?

--
engineer