[Openswan Users] "Simple" ? Vpn setup

Paul Wouters paul at xelerance.com
Thu Nov 18 22:06:29 CET 2004

On Thu, 18 Nov 2004, Nicolas Ross wrote:

> Does anybody can give me hint on why I end up with 2 default routes ?

>> conn testvpn
>>        left=nn.nn.nn.nn
>>        leftsubnet=
>>        leftid=@testipsec.domain.com
>>        leftnexthop=nn.nn.nn.yy
>>        right=mm.mm.mm.mm
>>        rightsubnet=
>>        rightid=@testipsec2.domain.com
>>        rightnexthop=mm.mm.mm.yy
>>        auto=add

>> Destination     Gateway         Genmask         Flags   MSS Window  irtt 
>> Iface
>> nn.nn.nn.0 U         0 0          0 
>> ipsec0
>>         nn.nn.nn.yy       UG        0 0          0 
>> ipsec0
>>       nn.nn.nn.yy       UG        0 0          0 
>> ipsec0
>> (only new routes are shown)
>> Why does ipsec need to add a new default route (second one) ?

Because the packets need to hit the IPsec machinery. This is currently done by
making them go into the ipsecX interfaces. Openswan needs to process all packets
with a certain source address (your left/rightsubnet). This method predates much
of the advanced routing (iproute) features, so since only destination based
routing was available at the time, the trick that has been used and is still in
use is to split the default route in two ( and, which
both are the entire default route) and route them into a ipsecX device. Since these
half routes are more specific then the default route, the kernel's routing
mechanism will send all packets into ipsecX. this then triggers the Openswan kernel
code to process these packets. Packets meant for an IPsec tunnel are encrypted, and
packets which are not part of a tunnel are released back into the normal routing
schema and send to the real default gateway.

We are looking at how we can use source based routing using 'ip rules' to change
this behaviour and remove the confusing half default routes.

In short, those routes are normal when using subnets.


More information about the Users mailing list