[Openswan Users] Should be a simple routing question

Greg Scott GregScott at InfraSupportEtc.com
Tue Aug 22 10:03:13 EDT 2006 

Hello - 
 
I am scratching my head on this one.  I have two sites, siteA and siteB.
This will grow but for now it's two sites.  
 
Site A is 10.13.1.0/24.  Site A is the right side.
Site B is 10.15.1.0/24.  Site B is left.  

Site A also has other subnets behind it, so I set up the tunnel like
this:

Left 10.15.1.0/24 <------> Right 10.0.0.0/8.
     Site B                      Site A

The tunnel works great - both sides see each ohter just fine, thanks to
lots of help from people in this list.  

Here's the issue.  When I traceroute from the siteB router at 10.15.1.1
to anything else in SiteB, it tries to route via SiteA!  Very strange
indeed!

Well, it kind of makes sense because my tunnel definition evidently told
it to behave this way.  I was wondering if there is a way to make the
local route happen before the tunnel route?

Here are the routes from 10.15.1.1 as they are right now.  

[root at roseville-fw gregs]# /sbin/ip route show
71.216.115.32/29 dev eth0  proto kernel  scope link  src xx.xx.xx.33 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2 
10.10.10.0/24 dev eth2  proto kernel  scope link  src 10.10.10.187 
10.15.1.0/24 dev eth1  proto kernel  scope link  src 10.15.1.1 
169.254.0.0/16 dev eth2  scope link 
10.0.0.0/8 dev eth0  scope link  src 10.15.1.1 
default via xx.xx.xx.38 dev eth0 
[root at roseville-fw gregs]# 

Aren't the more specific routes supposed to work before the more general
routes?  But the behavior I see is that the IPSEC route happens even
before local routes. 

I have a couple of workarounds.  

1 - I can set up tunnels specific to all subnets and forget about
10.0.0.0/8.
2 - I could mark local packets with iptables and route them through
another routing table.

But maybe there is something easier I am missing?

I am using fc5 with kernel 2.6.17.1 with Netkey and Openswan 2.4.4.

My conn definition from site B looks like this:

conn Roseville-Everywhere
        # Identical to Roseville-Lakeville except for the rightsubnet.
        type=tunnel
        #
        # Left security gateway, subnet behind it, next hop toward
right.
        #
        also=Roseville
        leftsubnet=10.15.1.0/24
        #
        # Right security gateway, subnet behind it, next hop toward
left.
        #
        also=Lakeville
        rightsubnet=10.0.0.0/8
        auto=start

include /etc/ipsec.d/sites.conf

Here is what sites.conf looks like:

conn Roseville
        left=xx.xx.xx.33
        leftnexthop=xx.xx.xx.38
        leftsourceip=10.15.1.1
        leftid=@roseville.local
        # RSA 2192 bits   roseville-fw   Thu Jul 20 18:47:26 2006
        leftrsasigkey=0sAQ...

conn Lakeville
        right=yy.yy.yy.154
        rightnexthop=yy.yy.yy.153
        rightsourceip=10.13.1.1
        rightid=@lakeville.local
        # RSA 2192 bits   lakeville-fw   Wed Jul 19 21:09:32 2006
        rightrsasigkey=0sAQNb...
        #

Thanks

- Greg Scott

More information about the Users mailing list