[Openswan dev] openswan connections with %defaultroute with later upcoming network

Paul Wouters paul at xelerance.com
Tue Jul 6 12:43:38 EDT 2010

On Tue, 6 Jul 2010, Avesh Agarwal wrote:

> Thanks for your response. The reason for using "ipsec.info" is to make pluto 
> do everything instead asking users to enter defaultroute and ip address info.

Then we should probably make a new "helper" or go straight into pluto learning
about new IP/defaultroute. The ipsec.info is for scripts and is on our todo list
to kill - adding a dependancy in pluto for that is not something we want to do.

> As I said that asking users to enter defaultroute and ip address does not 
> seem user friendly. And it should work without NM too.

I agree, we should have some helper figure that out for the user. I thought
it might just be easy to do from within NM.

> This issue is not just about KH_DEFAULTROUTE, it happens with KH_IPHOSTNAME 
> (this leads to unresolved ip address) too. Following are the scenarios it can 
> happen:
> 1.  left=%defaultroute
>     right=
> 2. left=%defaultroute
>    right=xxx.yyy.com
> 3. left=
>    right=xxx.yyy.com
> So not only with case 1, it should solve cases 2 and 3 too. When network is 
> not up at boot time, and considering cases 2 and 3, the connection will have 
> unresolved ip addresses ("right" ip addresses). These addresses should be 
> resolved after network is up, otherwise connections can not be initiated.

Are you compiling with USE_DYNAMICDNS=true ? If should fix those issues AFAIK.
If not, we can fix those, but it seems quite a different fix from the one where
we determine %defaultroute.

> will also require setting some parameters of the connections again like it is 
> done by "default_end" API. If pluto can do all these things by itself without 
> user interventions whenever connection is initiated, that would be better.

Yes. pluto without ipsec.info i hope :)

> With NETKEY, when there is need to add source ip address (obtained from 
> remote server), its netmask is set to 32 by default. However, due to some 
> issues with iptables masquerading,  this netmask should be set to the netmask 
> of the remote subnet (rightsubnet). Otherwise, traffic from nodes behind the 
> local ipsec end can not be routed inside VPN. I checked that KLIPS also does 
> this in its updown script but it seems little bit wrong right now.

Tuomo will shortly have a patch for you to see if that fixes your masquerading issue.


More information about the Dev mailing list