[Openswan Users] Probelm with host reachability when ipsec tunnel is operational

[Paul Wouters]

On Tue, 5 Jul 2005, Phillip Gersekowski wrote:

> I have recently upgrded to Linux Openswan U2.3.1/K2.6.11.4-20a-default
> (netkey) from Freeswan-1.99 on Linux 2.4.20.
>
> I am having a problem  with reachability of the IPSEC gateway host on
> the local network.

Without logs it is hard to say what is going on. Either your firewalls
still assume an ipsecX device which is no longer there, your rp_filter
settings changed, your nat/masq settings interfere, or perhaps you did
not disable OE by including no_oe.conf

>
> The ADSL gateway provide 4 IPSec Connections: One Connection each from
> the local networks (7 & 26) to our adminsitration center
> (192.168.32.0/21) and One Connection from each local network to another
> box used for "Internet" Connectivity.
>
> The 2 IPSEC connection to the internet is used to connection to all
> other Sites within out WAN . These sites are number in the private
> ranges (192.168., 10. and 172.) so we use a catch all 0.0.0.0/0 route
> from the remote network on this ipsec connection. It also just happens
> that this second IPSEC Connection is our connection to the internet, but
> these remote locations do not have internet connectivity so this is not
> actually used for web etc.

If you are creating 'overlapping' networks, eg by having 10.0.0.0/8 on one
end, and 10.0.x.0/24 on another end, then with KLIPS this worked but with
NETKEY you will need extra passthrough connections to make it work.

> The problem is that when I bring up the 2nd IPSEC Connection
> (0.0.0.0/0) remote network. I lose the ability to reach the
> 192.168.7.253 from any machine in 192.168.7.0/24 and also the lose
> connectivity from 192.168.26.0/24 to 192.168.26.253, and also lose
> connectivity between the 192.168.26.0/24 and 192.168.7.0/24 networks.

Seems like you might have left OE enabled.

Paul