[Openswan Users] Tunnels come up, but not all traffic goesthrough

Jacco de Leeuw jacco2 at dds.nl
Sat Jun 12 16:50:11 CEST 2004


Herbert Xu wrote:

>> Should IPsec or the firewall be down for some reason, then the
 >> L2TP server would be exposed.
> 
> In the ideal world IPsec should be up ("routed" in pluto's terminology)
> before any networking interface has been brought up.  This way IPsec
> will never be down unless the kernel itself crashed.  If pluto crashed
> then the policies set up by it will still be enforced by the kernel.

With "IPsec down" I meant those situations where the admin has not yet
set an IPsec policy, or where he had flushed it and the new policy was
not loaded due to an error or so. In those cases, if you have an (L2TP)
server bound to the external interface, you're caught with your pants
down...

> Well in the worst-case scenario that Michael outlined, your nexthop
> gateway may have been compromised and it could be sending you packets
> destined for 192.168.1.98 directly.

This is the internal interface. The nexthop should never have access to it.
If forwarding is off by default, I don't think this will be a problem.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list