[Openswan Users] Routing differencies between 2.4/ 2.6 kernel

Ole Morten olemotor at gmail.com
Wed May 4 11:14:31 CEST 2005 

Hi,

This request has been posted on both OpenSWAN and OpenVPN support forums. The first one to solve this will be highly honoured on both locations. ;-)

I have a Linux gateway using kernel 2.4.25, running FreeSWAN 2.06 and OpenVPN 2.0. The gateway has one public IP on eth0, one private IP on eth1 and is through ipsec0(eth0) interface building three IPSEC tunnels to our corporate private network. OpenVPN uses the tun0 interface for road warriors. The gateway is firewalled by iptables because it provides internet access for the private network on eth1 and the OpenVPN road warriors. NAT is enabled for traffic to internet and for traffic from the OpenVPN subnet which is not known by any corporate router.

eth0    Public internet
eth1    10.200.1.0/24 private network
ipsec0 10.0.0.0/8 corporate network
ipsec0 10.200.2.0/24 corporate network 
ipsec0 10.200.3.0/24 corporate network
tun0     10.200.100.0/24 OpenVPN network

I don't have to worry at all because at present this scenario works well, but personal curiosity and desire to stay up to date with latest developments has made me started experimenting with various versions of 2.6 kernels together with FreeSWAN but also OpenSWAN 2.3.0/2.3.1. However, so far I have not had complete success running ipsec and OpenVPN simultaneously. 

When testing I have disabled the firewall apart from NAT. 
ipsec0 interface is removed from all scripts when using 2.6 kernels.
All ip_forward flags in kernel are set to 1.
With only OpenVPN running, road warriors can access private network on eth1 as well as internet on eth0. Starting ipsec service will for some reason block road warriors from the private network and corporate private network, but they can reach the public internet.
Apart from the ipsec0 interface the output from commands route and ip route looks similar for the 2.4 and 2.6 kernels.

When ipsec is running with kernel 2.6 almost everything seems normal between the private and the corporate networks. I say almost because I have discovered a funny replication and mail routing problem between Lotus Domino servers, this will be the next problem to solve before trashing 2.4.

Can anyone give a clue or tell me the reason why routing does not work between OpenVPN clients and any of the private 10.x.x.x networks on kernel 2.6?

Many thanks in advance
brgds
Ole M.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050504/c4a07ef3/attachment.htm

More information about the Users mailing list