[Openswan Users] Tunnels come up, but not all traffic goesthrough

[Herbert Xu]

Jacco de Leeuw <jacco2 at dds.nl> wrote:
> 
> There is a similar problem with L2TP-over-IPsec. I prefer not having
> the L2TP deamon listen on the external interface. Should IPsec or the
> firewall be down for some reason, then the L2TP server would be exposed.

In the ideal world IPsec should be up ("routed" in pluto's terminology)
before any networking interface has been brought up.  This way IPsec
will never be down unless the kernel itself crashed.  If pluto crashed
then the policies set up by it will still be enforced by the kernel.

> For this reason I use the 'listen-addr' parameter so that l2tpd
> only listens on an internal interface (say, 192.168.1.98). Then I
> set up a NAT rule like this:
> 
> iptables -t nat --append PREROUTING -i ipsec0 -p udp --sport 1701 \
>  --dport 1701 -j DNAT --to-destination 192.168.1.98

Well in the worst-case scenario that Michael outlined, your nexthop
gateway may have been compromised and it could be sending you packets
destined for 192.168.1.98 directly.

> Only L2TP packets coming through the IPsec tunnel will arrive at
> the L2TP daemon. But this won't work with 26sec, because there is no
> ipsec0. I tried the following but this did not work (icmp udp port 1701
> unreachable):

My point in this thread has been that this is completely unnecessary.
Unlike the KLIPS implementation, the 26sec policy database is applied
to the entire networking stack, not to just a single interface.  That
means the kernel will guarantee that if a packet arrives through any
network interface that matches your IPsec selector, it will have been
encrypted with the correct SAs.

PS Please keep me in the CCs so that I don't miss your message.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email:  Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt