<div dir="ltr"><div><font face="courier new, monospace"><div><div>Hello, I have a working tunnel with IPsec using netkey when I have only one WAN. The thing is, I wanna to setup a split access (using policy based routing) in a single gateway so I ca have 3 WAN interfaces.</div><div><br></div><div>I will describe my setup. I have the <a href="http://192.168.50.0/24">192.168.50.0/24</a> network connecting to the remote network <a href="http://192.168.201.0/24">192.168.201.0/24</a>, as gateway I am using 0.0.0.0 in the eth2 interface and for my internal network 192.168.50.5 in the eth0 interface. The remote gateway is 1.1.1.1. Bellow is the interesting part from both ip addr list and the ipsec.conf:</div><div><br></div></div></font></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font face="courier new, monospace"><div><div>[root@moses ~]# ip addr list<br></div><div>...</div><div>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast </div></div></font></div><div><font face="courier new, monospace"><div><div> inet <a href="http://192.168.50.5/24">192.168.50.5/24</a> brd 192.168.50.255 scope global eth0</div></div><div>...</div></font></div><div><font face="courier new, monospace"><div><div>4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast </div></div></font></div><div><font face="courier new, monospace"><div><div> inet <a href="http://0.0.0.0/25">0.0.0.0/25</a> brd 0.0.0.255 scope global eth2</div></div><div>...</div></font></div></blockquote><div><font face="courier new, monospace"><div><br></div></font></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font face="courier new, monospace"><div>[root@moses ~]# cat /etc/ipsec.d/vpn.conf<br></div><div>...</div><div>left = 0.0.0.0</div></font></div><div><font face="courier new, monospace"><div>leftsubnets = { <a href="http://192.168.50.0/24">192.168.50.0/24</a> }</div></font></div><div><font face="courier new, monospace"><div>right = 1.1.1.1</div></font></div><div><font face="courier new, monospace"><div>rightsubnets = { <a href="http://192.168.201.0/24">192.168.201.0/24</a> }</div><div>...</div></font></div></blockquote><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">For my policy based routing, I have a table called trinn which will route all traffic coming from 0.0.0.0, besides my local route. Here is the interesting part of ip route list, ip rule list and from my private routing table ip route list table trinn:</font></div><div><font face="courier new, monospace"><br></font></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font face="courier new, monospace">[root@moses ~]# ip route list</font></div><div><font face="courier new, monospace">...</font></div><div><font face="courier new, monospace"><a href="http://0.0.0.128/25">0.0.0.128/25</a> dev eth2 proto kernel scope link src 0.0.0.0 </font></div><div><font face="courier new, monospace"><a href="http://192.168.50.0/24">192.168.50.0/24</a> dev eth0 proto kernel scope link src 192.168.50.5 </font></div><div><font face="courier new, monospace">...</font></div></blockquote><div><font face="courier new, monospace"><br></font></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font face="courier new, monospace">[root@moses ~]# ip rule list</font></div><div><font face="courier new, monospace">0: from all lookup local </font></div><div><font face="courier new, monospace">...</font></div><div><font face="courier new, monospace">32762: from 0.0.0.0 lookup trinn </font></div><div><font face="courier new, monospace">...</font></div><div><font face="courier new, monospace">32766: from all lookup main </font></div><div><font face="courier new, monospace">32767: from all lookup default</font></div></blockquote><div><font face="courier new, monospace"><br></font></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font face="courier new, monospace">[root@moses ~]# ip route list table trinn</font></div><div><font face="courier new, monospace"><a href="http://0.0.0.128/25">0.0.0.128/25</a> dev eth2 scope link src 0.0.0.0</font></div><div><font face="courier new, monospace"><a href="http://192.168.50.0/24">192.168.50.0/24</a> dev eth0 scope link src 192.168.50.5 </font></div><div><font face="courier new, monospace">default via 0.0.0.129 dev eth2 </font></div></blockquote><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">When I try to ping the remote host 192.168.201.173 the ICMP package gets correctly routed, coming from eth0, the it is encrypted and sent though eth2. Then I receive an encrypted package from the remote host 1.1.1.1 which is decrypted and should be routed though eth0, but is instead sent though eth2, so it can not reach its destination who is only accessible though eth0. Bellow tcpdump of the situation I just described is shown.</font></div><div><font face="courier new, monospace"><br></font></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font face="courier new, monospace">[root@moses ~]# tcpdump -i eth0 host 1.1.1.1 or host 192.168.50.131</font></div><div><div><font face="courier new, monospace">20:38:23.957066 IP 192.168.50.131 > <a href="http://192.168.201.173">192.168.201.173</a>: ICMP echo request, id 27920, seq 1, length 64</font></div></div><div><div><font face="courier new, monospace"><br></font></div></div><div><div><font face="courier new, monospace">[root@moses ~]# tcpdump -i eth2 host 1.1.1.1 or host 192.168.50.131</font></div></div><div><div><font face="courier new, monospace">20:38:23.957122 IP 0.0.0.0 > <a href="http://1.1.1.1">1.1.1.1</a>: ESP(spi=0x0c519031,seq=0x9), length 116</font></div></div><div><div><font face="courier new, monospace">20:38:23.987502 IP 1.1.1.1 > <a href="http://0.0.0.0">0.0.0.0</a>: ESP(spi=0x241bd80a,seq=0xc), length 116</font></div></div><div><div><font face="courier new, monospace">20:38:23.987502 IP 192.168.201.173 > <a href="http://192.168.50.131">192.168.50.131</a>: ICMP echo reply, id 27920, seq 1, length 64</font></div></div></blockquote><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">I did some research and found a old post which could be a similar problem, but it is not resolved (<a href="https://lists.openswan.org/pipermail/users/2010-March/018548.html">https://lists.openswan.org/pipermail/users/2010-March/018548.html</a>) I prefer to try to resolve the issue using netkey since it is supported by CentOS 6.5. Can you help me?</font></div><div><div dir="ltr"><font face="courier new, monospace"><br>--<br>Pedro Batista</font><br></div></div>
</div>