[Openswan dev] Openswan 2.4.0 virtual_private problems

Tuomo Soini tis at foobar.fi
Thu Sep 22 14:35:07 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dmitriy wrote:
> I am sorry.
> Really IPSEC connection is established between openswan server and
> EXTERNAL ip of NAT router.
> so internal ip of nated client has no mean.
> (i had no access  to openswan log when i post previos message - i was on
> test client machine...)
> 
> However if somebody will connect not to external interface of openswan
> server, openswan will create wrong route on this internal interface to
> somebody ip.

This is really bug in openswan. I don't know how easy it's to fix it but
currently openswan feeds _updown interface for ip which is connected. So
if you are connecting from inside of firewall, _updown is told to add
route on _external_ interface. With NETKEY pluto should tell _updown
which interface ipsec is communicated over.

With KLIPS you can only connect from outside if you have ispecN
interface set up on outside interface. But with netkey you can initiate
ipsec SA from anywhere, even from inside of firewall to external ip of
firewall.

Correct fix would be to make pluto check on which interface it's
communicating and feed that interface as $PLUTO_INTERFACE to _udown
script. With that change it would be possible to use ipsec with same
config both from outside and inside of firewall/ipsec-gw with NETKEY.

- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org

iD8DBQFDMojbTlrZKzwul1ERAgEgAJ9u1p6CEuF/jZLV2+aheTKZOOBpWQCeOhed
IrUUBlluLdl7vhd0P7vZapI=
=TG0X
-----END PGP SIGNATURE-----


More information about the Dev mailing list