[Openswan Users] Tunnels come up, but not all traffic goesthrough

Trevor Benson tbenson at a-1networks.com
Fri Jun 11 21:31:34 CEST 2004


> -----Original Message-----
> From: users-bounces at lists.openswan.org [mailto:users-
> bounces at lists.openswan.org] On Behalf Of Jacco de Leeuw
> Sent: Friday, June 11, 2004 3:28 PM
> To: users at lists.openswan.org
> Subject: Re: [Openswan Users] Tunnels come up, but not all traffic
> goesthrough
> 
> Nate Carlson wrote:
> > Just for the sake of reference, how would you, for example, tag all
data
> > that is coming in via IPSec and going out to your internal network
> (eth1)?
> > With klips, it's easy: iptables -I FORWARD -i ipsec0 -o eth1 <...>
> 
> There is a similar problem with L2TP-over-IPsec. I prefer not having
> the L2TP deamon listen on the external interface. Should IPsec or the
> firewall be down for some reason, then the L2TP server would be
exposed.
> 
> For this reason I use the 'listen-addr' parameter so that l2tpd
> only listens on an internal interface (say, 192.168.1.98). Then I
> set up a NAT rule like this:
> 
> iptables -t nat --append PREROUTING -i ipsec0 -p udp --sport 1701 \
>   --dport 1701 -j DNAT --to-destination 192.168.1.98
> 
> Only L2TP packets coming through the IPsec tunnel will arrive at
> the L2TP daemon. But this won't work with 26sec, because there is no
> ipsec0. I tried the following but this did not work (icmp udp port
1701
> unreachable):
> 
> iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
> iptables -t nat -A PREROUTING -m mark --mark 1 -i eth0 -p udp \
>    --sport 1701 --dport 1701 -j DNAT --to-destination 192.168.1.98
> 
> The situation might be even more difficult with NAT-Traversal
(additional
> encapsulation in UDP 4500). Does anyone know a solution to this
problem?
> Herbert perhaps?
> 
> Thanks,
>    Jacco

   This is exactly what I was afraid of.  I am using quite a few L2TP
tunnels, and the iptables -a PREROUTING -I ipsec0.  So this type of
connection will be an issue in 26sec?  Does the Fun with iproute2 and
Freeswan document apply in the same way for creating alias'd interfaces?
Or will this solution provided for the old 2.4 not work to create
another ipsec alias device?  Should I assume Jacco or someone already
tried this method and it failed?

Thanks,
Trevor



More information about the Users mailing list