[Openswan Users] Problem with ipsec routing
Ming-Ching Tiew
mingching.tiew at redtone.com
Thu Aug 11 10:43:47 CEST 2005
From: "John A. Sullivan III" <jsullivan at opensourcedevel.com>
>
> I thought you could place logging rules in your iptables rule set to see
> where the packet stops but, again, why would changing to a fixed IP fix
> it. Although I wonder if there is, perhaps, a rule using some script
> variable and the variable is the problem. Perhaps when the A side
> initiates, the variable is set properly. When it does not, the variable
> is set to some other value or is unset.
>
> Are the packets from side A to side B dropped or misrouted? In other
> words, do they come out the other end but are just not in the tunnel or
> do they never make it through the VPN gateway at all? - John
> --
No, the packets have been routed to the firewall/IPSEC gateway.
This can been seen from my tcpdump capture, it enters my eth0
interface and leaves eth1 interface as normal packets, ie it never
get into the ipsec0.
One thing I must also mention I make use of fwmark and multiple
routing tables. But I noticed that the IPSEC route is only created
in the main routing table, example,
# ip route list
....
210.x.y.z1/30 dev ipsec0 proto kernel scope link src 210.x.y.z2
192.168.2.0/24 via 210.x.y.z3 dev ipsec0
....
But if I have additional routing tables, I could never create such
routes in those tables. The commands will fail, example, adding
this route in table "first" will fail
# ip route add 210.x.y.z1/30 dev ipsec0 proto kernel scope link src 210.x.y.z2 table first
will fail.
Now my suspicion is that this particular route statement
(192.168.2.0/24 via 210.x.y.z3 dev ipsec0 ) is somehow not
created in one of my routing tables when I set left=%any. I will
double confirm it.
Cheers.
More information about the Users
mailing list