[Openswan Users] Tunnels come up, but not all traffic goesthrough

Herbert Xu herbert at gondor.apana.org.au
Sun Jun 13 06:54:58 CEST 2004


On Sat, Jun 12, 2004 at 03:50:11PM +0200, Jacco de Leeuw wrote:
>
> >In the ideal world IPsec should be up ("routed" in pluto's terminology)
> >before any networking interface has been brought up.  This way IPsec
> >will never be down unless the kernel itself crashed.  If pluto crashed
> >then the policies set up by it will still be enforced by the kernel.
> 
> With "IPsec down" I meant those situations where the admin has not yet
> set an IPsec policy, or where he had flushed it and the new policy was
> not loaded due to an error or so. In those cases, if you have an (L2TP)
> server bound to the external interface, you're caught with your pants
> down...

Well the policy database should be given the same level of respect
as the firewall.  Just as you wouldn't start an interface without
the firewall, you shouldn't do so without the IPsec policies.

> >Well in the worst-case scenario that Michael outlined, your nexthop
> >gateway may have been compromised and it could be sending you packets
> >destined for 192.168.1.98 directly.
> 
> This is the internal interface. The nexthop should never have access to it.
> If forwarding is off by default, I don't think this will be a problem.

Unfortunately this doesn't work on Linux.  IP addresses are assigned
to the host, not the interface.  Therefore it will always be accessible
to your nexthop.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email:  Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


More information about the Users mailing list