[Openswan Users] Tunnels come up, but not all traffic goesthrough
Jacco de Leeuw
jacco2 at dds.nl
Sat Jun 12 16:50:11 CEST 2004
Herbert Xu wrote:
>> Should IPsec or the firewall be down for some reason, then the
>> L2TP server would be exposed.
>
> In the ideal world IPsec should be up ("routed" in pluto's terminology)
> before any networking interface has been brought up. This way IPsec
> will never be down unless the kernel itself crashed. If pluto crashed
> then the policies set up by it will still be enforced by the kernel.
With "IPsec down" I meant those situations where the admin has not yet
set an IPsec policy, or where he had flushed it and the new policy was
not loaded due to an error or so. In those cases, if you have an (L2TP)
server bound to the external interface, you're caught with your pants
down...
> Well in the worst-case scenario that Michael outlined, your nexthop
> gateway may have been compromised and it could be sending you packets
> destined for 192.168.1.98 directly.
This is the internal interface. The nexthop should never have access to it.
If forwarding is off by default, I don't think this will be a problem.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list