[Openswan Users] Routing on a bigger network

Paul Wouters paul at xelerance.com
Mon Jan 31 19:29:11 CET 2005

On Mon, 31 Jan 2005, John A. Sullivan III wrote:

>> Another thing I'm wondering about - this whole limitation seems tied to the 
>> OpenSWAN design decision to not provide routable interfaces for VPNs.  Many

Routable interfaces is not what defines IPsec. IPsec is about policies and
security. It was never meant to do 'route add foonet /dev/ipsec'. The whole
point of IPsec is to only let through what has been authenticated, and not
just random IP's that people pointed to the tunnel.

> I'm not sure of the rationale behind the non-routing virtual interfaces.
> If I was to hazard a guess, I would guess that its predecessor,
> FreeS/WAN antedates the netfilter hooks.

Yes, There was talking at the first two OLS conferences (2000 and 2001?)
when netfilter was just appearing. Putting Alan Cox, Dave Miller, Alexi
and the freeswan people (hugh,hugh, richard, henry) in one room did not 
yield the proper result.

> I am only just beginning to play with the 2.6 IPSec implementation.  I
> do not know if that will provide an easier solution for you.

No, it will be even harder, because KLIPS does (against RFC) longest-match
first, so you cna have policies for and, and packets
for will enter the latter tunnel instead of the former. NETKEY does
it based on the order of when you added the policies into the kernel.

The easiest way out of this is using another tunnel where you can actually
'route into'. This can be done with a simple GRE tunnel.

See Ken's talk "Highly Available VPNs on Linux" available at:


"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list