[Openswan Users] multiple tunnel fails after upgrade

Vik Heyndrickx vik.heyndrickx at edchq.com
Mon Sep 6 13:54:41 CEST 2004


> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]On
> Behalf Of Vik Heyndrickx
> Sent: Sunday, September 05, 2004 10:33 AM
> To: users at openswan.org
> Subject: [Openswan Users] multiple tunnel fails after upgrade
> 
> After upgrade from Freeswan 2.0.x to Openswan 2.1.4 (fc2), 
> only one tunnel appears to work even though multiple tunnels 
> were and are configured correctly.
> 
> I had two hosts both running Freeswan 2.0.x (I think it is 
> 2.0.4), that connected three networks behind these tunnel end 
> points, one behind the left gateway, let us call it LGNW, and 
> two not directly connected behind the right gateway, RGNW1 
> and RGNW2. OE is configured to be off.
> 
> I replace the right gateway with an FC2 (kernel 
> 2.6.8-1.521)+Openswan 2.1.4 server, with EXACTLY the same 
> ipsec.conf and ipsec.secrets. When I restart ipsec, both 
> tunnels come up (both gateways agree upon that in 
> /proc/net/ipsec_eroute and ipsec auto --status respectively). 
> 
> However, when i ping from a host on LGNW to a host on RGNW1 
> and RGNW2, only a host on one of those networks will respond. 
> The other not. Now, if I bring up only one tunnel at a time, 
> I can ping the host on that tunnelled network on the right 
> hand side; and this applies to both RGNW1 and RGNW2.
> 
> rp_filter is 0 for all interfaces, ip_forward is on. No 
> firewalling was applied during the setup and tests, so as far 
> as the netfilter codes is concerned packets were allowed to 
> flow freely.
> 
> When both tunnels are up, only one network is reachable. I 
> know that, for the failing network, that the echo-request 
> (ping) packet is being received by the left gateway, that it 
> is tunnelled, and that the tunnelled packet is being received 
> by the right gateway; and there it vanishes. Strange. Oh, 
> yes, compress is on for _both_ tunnels, on both sides, and 
> for the sake of completeness I tried it also with compress 
> _off_ for both tunnels on the two sides with the same results.
> 
> So, I checked the ip routing table "ip route show table all", 
> and both destination networks have exactly the same entries 
> (differing only in the network address). If I ping directly 
> from the right gateway, I can reach both RGNW1 and RGW2 
> without a problem, but If i do so from a host on the LGNW, I 
> can reach exactly one other network, and not both.

It is is not my habit, but I feel like replying to my own message now. I have additional information. I ran a labo test with four PC's and tried to recreate the above situation. The two middle PC's are dual homed hosts. All are Fedora Core 2 with Openswan 2.1.5 (fc2-i386.rpm), the kernel version is 2.6.8-1.521 (which is based upon vanilla linux kernel 2.6.8). I'm not using KLIPS but the kernel ipsec module.

One tunnel is no problem. Two tunnels, the very same problem occurs here. One of the remote networks is reachable and the other not, despite that fact that both tunnels are up. Where I said before that the packet vanished, I now know that it goes out through the WRONG ethernet interface (tcpdump tells me that), although there is nothing in the local or main routing table that suggests to do should do that. If I request the destination gateway with "ip route get" for the respective destination I get the CORRECT ethernet interface. Evidently the de-tunneled packet doesn't get far since the destination host is on a different physical LAN.

Is this a Openswan problem or a kernel problem, or maybe even a known problem?

Cheers,

-- 
Vik Heyndrickx


More information about the Users mailing list