Paul,<br><br>Thanks for your answer.<br><br>I do use klips and not netkey for the Openswan box:<br># ipsec --version<br>Linux Openswan 2.6.18 (klips)<br>See `ipsec --copyright' for copyright information.<br># ipsec auto --status<br>
000 using kernel interface: klips<br>000 interface ipsec0/eth1 192.168.1.50<br>...<br><br>Also,
in my example, all the protected networks are in different subnets that
are not sub-nets of each other. I just chose 172.16.x.x addresses to
make the setup more bearable.<br>
<br>Since the hub has <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a>, spoke1 has <a href="http://172.16.40.0/24" target="_blank">172.16.40.0/24</a>, and spoke2 has <a href="http://172.16.20.0/24" target="_blank">172.16.20.0/24</a>, I don't think it is a problem with longest prefix. I could have used <a href="http://10.10.10.0/24" target="_blank">10.10.10.0/24</a> for the hub, <a href="http://172.16.1.0/24" target="_blank">172.16.1.0/24</a> for spoke1 and <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> for spoke2 and have the same problem.<br>
<br>Thanks / Mattias<br><br><br><div class="gmail_quote">On Tue, Feb 10, 2009 at 9:05 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Tue, 10 Feb 2009, Mattias Mattsson wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I'm having a problem when trying to upgrade from FreeS/WAN 1.99 to Openswan 2.6.18 (klips).<br>
<br>
The setup is a hub and spoke VPN where two spoke sites (B and C) are connecting into the hub site (A).<br>
The protected subnets are all different (i.e. this is not an 'extruded subnet' setup) and eroutes are<br>
used to route from B to C and vice versa.<br>
</blockquote>
<br>
</div><div class="Ih2E3d"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
This works fine when using Freeswan, but when using Openswan for the hub, the Hub does not even accept<br>
the incoming traffic from the spoke, i.e. if I do a tcpdump on ipsec0 I do not see the incoming traffic.<br>
</blockquote>
<br></div>
this is a KLIPS vs NETKEY issue. You are likely using netkey. You can either<br>
switch to KLIPS, or you can add "conn passthrough" connections that excempt<br>
the local subnet from the hub-spoke tunnel.<br>
<br>
KLIPS does longest prefix matching, so <a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a> overrides <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a>.<br>
NETKEY does not do that, so a <a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a> <-> <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> tunnel causes ALL<br>
traffic, including <a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a> to be send over the tunnel, unless excempted<br>
by a passthrough conn.<br>
<br>
You should be able to find passthrough examples in /etc/ipsec.d/examples/ or<br>
in the mailing list archives.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>