[Openswan Users] Virtual interfaces

Tuomo Soini tis at foobar.fi
Tue Jul 19 23:27:12 CEST 2005

Hash: SHA1

Lionel Cottin wrote:
> Dear OpenSwan gurus,
> I'm currently having issues with OpenSWAN on RHEL3 using RH IPSEC stack.
> My setup is quite as follow:
> I run 2 servers configured as 1 HA cluster using hearbeat (active/passive).
> Openswan is configured to bind on eth0:0 which the virtual managed by heartbeat.

Your problem is here. You need not to bind to eth0:0 interface. You need
to bind that ip to eth0 using IPaddr2 resource script with heartbeat.

> Both the virtual and the underlying physical interfaces are on the same subnet.
> Each "IPSEC Client" has 2 connections defined: one in tunnel and the other one
> in transport mode.
> This setup worked like charm using RH7.3 based VPN routers and super freeswan
> 1.99 . However and since I migrated them to RHEL3/Openswan2.3.1 a few day ago,
> IPSEC is often "not" crashing but in a really bad state; I have to manually
> restart some connection very often.

I've not tried 2.3.1 but ipsec works ok with 2.4.0dr3 on my systems.
with rhel-3 based kernel.

>>From what I've seen till now, it seems that the error comes from pluto not being
> able to properly handle virtual IPs like eth0:0.
> When starting IPSEC connections I get error messages like:
> "XXXX": unroute-host output: /usr/lib/ipsec/_updown: doroute `ip route delete
> x.x.x.x/32 via x.x.x.x dev eth0:0 ' failed (Cannot find device "eth0:0")

Exactly. Fix is to change ${PLUTO_INTERFACE}  in _updown script to
${PLUTO_INTERFACE%:*} or change to bind virtual ip to to eth0 with
IPaddr2 resource script of heartbeat-1.2.x Using IPsrcaddr might be
required too.

But another problem is that you need to do dynamic firewalling. I've
done that by using shorewall firewall and _updown script which is
managing shorewall dynamic rules.

- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Users mailing list