Descobri isso. Tive que mudar meu ipsec-tools.conf para isso:
flush;
spdflush;
# Generic routing
spdadd 10.4.0.0/16 10.3.0.0/25 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 10.3.0.0/25 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;
# Tunnel 1
spdadd 169.254.249.1/30 169.254.249.2/30 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 169.254.249.2/30 169.254.249.1/30 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;
spdadd 10.4.0.0/16 169.254.249.2/30 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 169.254.249.2/30 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;
# Tunnel 2
spdadd 169.254.249.5/30 169.254.249.6/30 any -P in ipsec esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;
spdadd 169.254.249.6/30 169.254.249.5/30 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;
spdadd 10.4.0.0/16 169.254.249.6/30 any -P in ipsec esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;
spdadd 169.254.249.6/30 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;
E mude o meu racoon.conf para isto:
path pre_shared_key "/etc/racoon/psk.txt";
remote 205.251.233.122 {
exchange_mode main;
lifetime time 28800 seconds;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
generate_policy off;
}
remote 205.251.233.121 {
exchange_mode main;
lifetime time 28800 seconds;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
generate_policy off;
}
sainfo address 169.254.249.2/30 any address 169.254.249.1/30 any {
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 169.254.249.6/30 any address 169.254.249.5/30 any {
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.3.0.0/25 any address 10.4.0.0/16 any {
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
No entanto, esta configuração, como eu entendo, somente direcionará o tráfego entre 10.3.0.0/25 e 10.4.0.0/16 através do primeiro túnel (via x.x.x.121). Vou atualizar a resposta quando descobrir isso.