[Openswan Users] Probelm with host reachability when ipsec tunnelis operational

Gömöri Zoltán suf at freemail.hu
Thu Jul 21 11:45:23 CEST 2005


Hi,

I'm getting exactly the same problem as you. I asked in several form on the
list but hasn't got any real answer.
I've no real solution to this but I managed to have a workaround.
I've tracked down that the problem on your External machines route handling.
You have two routes in your routing table in your case looks like this:

Destination   Gateway   Genmask        Flags Metric Ref  Use Iface
10.x.0.0      *         255.255.0.0    U     0      0      0 Local If
10.0.0.0      m.n.o.p   255.0.0.0      UG    0      0      0 Remote If

Due to the IP standards the first route has priority over the second because
of the netmask length, but (I gess because of a bug somewhere) in the IPSEC
implementation somehow the second one has prority over the first one.
What I've done to make it work, I built the vannila kernel with the ROUTE
target patch from the netfilter pom, and added the following iptables rule
into the remote gateway's firewall config:

iptables -t mangle -A OUTPUT -s 10.x.0.1 -d 10.x.0.0/16 -j ROUTE --oif
<Local If> --continue

This solved the problem, that the core and the remote network can
communicate with each other, but I'm still not able to access the remote
gateway's local address from the remote network.
I know, that is not a real solution, but it seams to work.

Actually I realy would like to see if somebody solves this issue.
I hope that you could understand what I've written because of my english and
the realy little knowledge in the IP/IPSEC business.

Zoltan

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Greg McGuire
> Sent: Thursday, July 21, 2005 12:02 AM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Probelm with host reachability 
> when ipsec tunnelis operational
> 
> Hello --
> 
> > If you are creating 'overlapping' networks, eg by having 
> 10.0.0.0/8  
> > on one
> > end, and 10.0.x.0/24 on another end, then with KLIPS this worked  
> > but with
> > NETKEY you will need extra passthrough connections to make it work.
> 
> This is exactly the issue I am having, but cannot seem to make the  
> passthrough connection work.  Could I ask to be pointed to an  
> example, or more information about this (or a link to TFM)?
> 
> My network topology is like this:
> 
> 10.0.0.0/8   <------> 10.x.0.0/16
> 10.254.0.1               10.x.0.1
> core gateway          remote gateway(s) running NAT
> 
> All systems are running openswan 2.2 on Debian (Sarge) with kernel  
> 2.6.8.  The "core" gateway is working fine, and can route to all of  
> the "remote" gateways perfectly using openswan.  However, when I  
> bring up openswan on the remote gateway it swallows all of  
> 10.0.0.0/8, and does not exclude the class 16 as (I believe) it  
> should.  This means that the remote gateway cannot talk to any  
> machine on its own subnet; those packets appear on the external  
> interface instead.  As there are no routes doing this, I assume  
> openswan is grabbing them.
> 
> My remote gateway's ipsec.conf:
> 
> conn to_core
>      type=tunnel
>      left=MY_EXTERNAL_IP
>      leftsubnet=10.3.0.0/16
>      leftnexthop=%defaultroute
>      right=CORE_EXTERNAL_IP
>      rightsubnet=10.0.0.0/8
>      rightnexthop=%defaultroute
>      spibase=0x200
>      esp=3des-md5-96
>      keyexchange=ike
>      pfs=yes
>      auth=esp
>      auto=start
>      authby=secret
>      ikelifetime=8h
>      keylife=8h
> 
> My remote gateway's routing table:
> 
> remote:/# ip route show
> MY_EXTERNAL_IP/22 dev eth0  proto kernel  scope link  src 
> MY_EXTERNAL_IP
> 10.3.0.0/16 dev eth1  proto kernel  scope link  src 10.3.0.1
> 10.0.0.0/8 via MY_NEXT_HOP dev eth0
> default via MY_NEXT_HOP dev eth0
> 
> Thanks,
> Greg
> 
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 



More information about the Users mailing list