Probelm with host reachability when ipsec tunnel is operational
philg at thenetworktech.net
Tue Jul 5 14:21:35 CEST 2005
I have recently upgrded to Linux Openswan U2.3.1/K188.8.131.52-20a-default
(netkey) from Freeswan-1.99 on Linux 2.4.20.
I am having a problem with reachability of the IPSEC gateway host on
the local network.
We have Linux based OpenSwan IPSEC Gateway that spans two phyical local
ethernet networks, and has an ADSL connection to our Administration Center.
| ADSL Link (
Subnet B --------------- Subnet A
(192.168.26.0/24) | IPSEC | ( 192.168.7.0/24)
--------------------------- | | ---------------
(192.168.26.253) | Gateway | (192.168.7.253)
The ADSL gateway provide 4 IPSec Connections: One Connection each from
the local networks (7 & 26) to our adminsitration center
(192.168.32.0/21) and One Connection from each local network to another
box used for "Internet" Connectivity.
The 2 IPSEC connection to the internet is used to connection to all
other Sites within out WAN . These sites are number in the private
ranges (192.168., 10. and 172.) so we use a catch all 0.0.0.0/0 route
from the remote network on this ipsec connection. It also just happens
that this second IPSEC Connection is our connection to the internet, but
these remote locations do not have internet connectivity so this is not
actually used for web etc.
The problem is that when I bring up the 2nd IPSEC Connection
(0.0.0.0/0) remote network. I lose the ability to reach the
192.168.7.253 from any machine in 192.168.7.0/24 and also the lose
connectivity from 192.168.26.0/24 to 192.168.26.253, and also lose
connectivity between the 192.168.26.0/24 and 192.168.7.0/24 networks.
When the Second IPSEC Connction (0.0.0.0/0) is down and unrouted all
connectivity between machines in the lans is restored.
I suspect that the problem is caused by the security policy attempting
to determine encryption and authentication parameters for access between
the 7 and 26 networks, when there is no appropriate policy defined.
I have attempted to use the setkey tool on the ipsec-tools rpm packages
to create a security policy between the two networks that defines that
no encryption or authentication is required, but have not had any luck.
The really interesting problem that I cannot explain is that when the
second IPSE Connection (0.0.0.0/0) is up, that I cannot connect from the
192.168.x.0/24 network to the 192.168.x.253 address on the IPSEC Gateway.
Does anyone have any clues and suggestions only what I might do to solve
I have done exhaustive searching on goolge and in the mailing lists etc.
The problem only occurs on the 2.6 kernels ( I suspect this is to do
with the use the ipsec0 virtual interface under the 2.4 kernel ipsec
implementations and that the 2.6 kernel use the nbative interfaces for
all encrypted and un-encrypted traffic).
More information about the Users