[Openswan Users] Probelm with host reachability when ipsec
greg at greganem.com
Thu Jul 21 11:12:32 CEST 2005
Yes, I believe you are right; I've determined essentially the same
thing: the ipsec tunnel is not ignoring the local subnet when it
grabs packets to send down the tunnel: everything in 10.0.0.0/8 gets
caught, instead of 10.0.0.0/8 minus 10.x.0.0/16 (the local subnet).
I know there must be a way around this that doesn't involve patching
netfilter, although I'll give that a try if nobody else has a
suggestion for a simpler fix in openswan.
Just so I'm clear, this is not the classic "I can't ping the ipsec
gateway from the other gateway / subnet". I've already got that
working fine. The case we're having trouble with is the
"overlapping" networks setup, as Paul called them: 10.0.0.0/8 on one
end to 10.x.0.0/16 on the other.
On Jul 21, 2005, at 3:45 AM, Gömöri Zoltán wrote:
> I'm getting exactly the same problem as you. I asked in several
> form on the
> list but hasn't got any real answer.
> I've no real solution to this but I managed to have a workaround.
> I've tracked down that the problem on your External machines route
> You have two routes in your routing table in your case looks like
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.x.0.0 * 255.255.0.0 U 0 0 0 Local If
> 10.0.0.0 m.n.o.p 255.0.0.0 UG 0 0 0 Remote If
> Due to the IP standards the first route has priority over the
> second because
> of the netmask length, but (I gess because of a bug somewhere) in
> the IPSEC
> implementation somehow the second one has prority over the first one.
> What I've done to make it work, I built the vannila kernel with the
> target patch from the netfilter pom, and added the following
> iptables rule
> into the remote gateway's firewall config:
> iptables -t mangle -A OUTPUT -s 10.x.0.1 -d 10.x.0.0/16 -j ROUTE --oif
> <Local If> --continue
> This solved the problem, that the core and the remote network can
> communicate with each other, but I'm still not able to access the
> gateway's local address from the remote network.
> I know, that is not a real solution, but it seams to work.
> Actually I realy would like to see if somebody solves this issue.
> I hope that you could understand what I've written because of my
> english and
> the realy little knowledge in the IP/IPSEC business.
>> -----Original Message-----
>> From: users-bounces at openswan.org
>> [mailto:users-bounces at openswan.org] On Behalf Of Greg McGuire
>> Sent: Thursday, July 21, 2005 12:02 AM
>> To: users at openswan.org
>> Subject: Re: [Openswan Users] Probelm with host reachability
>> when ipsec tunnelis operational
>> Hello --
>>> If you are creating 'overlapping' networks, eg by having
>>> on one
>>> end, and 10.0.x.0/24 on another end, then with KLIPS this worked
>>> but with
>>> NETKEY you will need extra passthrough connections to make it work.
>> This is exactly the issue I am having, but cannot seem to make the
>> passthrough connection work. Could I ask to be pointed to an
>> example, or more information about this (or a link to TFM)?
>> My network topology is like this:
>> 10.0.0.0/8 <------> 10.x.0.0/16
>> 10.254.0.1 10.x.0.1
>> core gateway remote gateway(s) running NAT
>> All systems are running openswan 2.2 on Debian (Sarge) with kernel
>> 2.6.8. The "core" gateway is working fine, and can route to all of
>> the "remote" gateways perfectly using openswan. However, when I
>> bring up openswan on the remote gateway it swallows all of
>> 10.0.0.0/8, and does not exclude the class 16 as (I believe) it
>> should. This means that the remote gateway cannot talk to any
>> machine on its own subnet; those packets appear on the external
>> interface instead. As there are no routes doing this, I assume
>> openswan is grabbing them.
>> My remote gateway's ipsec.conf:
>> conn to_core
>> My remote gateway's routing table:
>> remote:/# ip route show
>> MY_EXTERNAL_IP/22 dev eth0 proto kernel scope link src
>> 10.3.0.0/16 dev eth1 proto kernel scope link src 10.3.0.1
>> 10.0.0.0/8 via MY_NEXT_HOP dev eth0
>> default via MY_NEXT_HOP dev eth0
>> Users mailing list
>> Users at openswan.org
> Users mailing list
> Users at openswan.org
More information about the Users