[Openswan Users] RE: [Users] IPSEC through multiple internet connections

[Lewis Shobbrook]

Hi Bart
> 
> I have  a box using two internet connections ( ADSL and CABLE 
> ; each a 
> fixed IP )
> I defined some iproute2 stuff to do split routing on both 
> interfaces, it 
> works , reply are sent on the interface the request came in.
> 
> Now I've setup my freeswan (superfreeswan 1.99-8) to both internet 
> connections using a line like this:
>     interfaces="ipsec0=ppp0 ipsec1=eth1"
> 
> I define my tunnels each with the correct left/right IP and 
> left/right 
> nexthop from each corresponding interface.
> 
> The tunnels are established successfully, all UDP 500 traffic 
> is routed 
> correctly through the right interface.
> 
> But the problem is the ESP traffic: tunnels using the 
> 'default gateway 
> device' ppp0 work as they should
> ESP packets for the tunnels through eth1 device leave with 
> the correct 
> IP (that of eth1) but leave on the wrong  interface (ppp0).

It's also possible that this might be happening for other protocols.  I
found somehting similar occurring for an IP alias used for a virtual ftp
site.

> I thought that KLIPS bypasses the kernel routing for it's ESP packets 
> and does the routing directly (isn't that way xxxnexthop  
> exists in the 
> first place) ?
> 
> Can anybody gve me some pointers where to look , how to fix , 
> what to do ?

This should work, seems like a bit of a hack I know, but you might try
to use the iptables fwmark against ESP on the prerotuing chain.
Something like...

iptables -t nat -A PREROUTING -t mangle -p esp -s $ip_of_ppp0 ! -d
$internal_net -j MARK --set-mark 1
You'd also need to set up your iproute2 against the fwmark


ip rule add fwmark 1 table ipsec0.out
ip route add default via $ip_of_ppp0 dev ppp0 table ipsec0.out

Be sure that your iptables has the appropraite NF modules loaded ...
CONFIG_IP_NF_MATCH_AH_ESP, CONFIG_IP_NF_MATCH_MARK etc...

Cheers,

Lewis Shobbrook

Cheers,

Lewis