[Openswan Users] Probelm with host reachability when ipsec tunnelis operational

Greg McGuire greg at greganem.com
Thu Jul 21 11:12:32 CEST 2005 

Zoltan --

Yes, I believe you are right; I've determined essentially the same  
thing:  the ipsec tunnel is not ignoring the local subnet when it  
grabs packets to send down the tunnel:  everything in 10.0.0.0/8 gets  
caught, instead of 10.0.0.0/8 minus 10.x.0.0/16 (the local subnet).   
I know there must be a way around this that doesn't involve patching  
netfilter, although I'll give that a try if nobody else has a  
suggestion for a simpler fix in openswan.

Just so I'm clear, this is not the classic "I can't ping the ipsec  
gateway from the other gateway / subnet".  I've already got that  
working fine.  The case we're having trouble with is the  
"overlapping" networks setup, as Paul called them:  10.0.0.0/8 on one  
end to 10.x.0.0/16 on the other.

Thanks,
Greg


On Jul 21, 2005, at 3:45 AM, Gömöri Zoltán wrote:

> Hi,
>
> I'm getting exactly the same problem as you. I asked in several  
> form on the
> list but hasn't got any real answer.
> I've no real solution to this but I managed to have a workaround.
> I've tracked down that the problem on your External machines route  
> handling.
> You have two routes in your routing table in your case looks like  
> this:
>
> Destination   Gateway   Genmask        Flags Metric Ref  Use Iface
> 10.x.0.0      *         255.255.0.0    U     0      0      0 Local If
> 10.0.0.0      m.n.o.p   255.0.0.0      UG    0      0      0 Remote If
>
> Due to the IP standards the first route has priority over the  
> second because
> of the netmask length, but (I gess because of a bug somewhere) in  
> the IPSEC
> implementation somehow the second one has prority over the first one.
> What I've done to make it work, I built the vannila kernel with the  
> ROUTE
> target patch from the netfilter pom, and added the following  
> iptables rule
> into the remote gateway's firewall config:
>
> iptables -t mangle -A OUTPUT -s 10.x.0.1 -d 10.x.0.0/16 -j ROUTE --oif
> <Local If> --continue
>
> This solved the problem, that the core and the remote network can
> communicate with each other, but I'm still not able to access the  
> remote
> gateway's local address from the remote network.
> I know, that is not a real solution, but it seams to work.
>
> Actually I realy would like to see if somebody solves this issue.
> I hope that you could understand what I've written because of my  
> english and
> the realy little knowledge in the IP/IPSEC business.
>
> Zoltan
>
>
>> -----Original Message-----
>> From: users-bounces at openswan.org
>> [mailto:users-bounces at openswan.org] On Behalf Of Greg McGuire
>> Sent: Thursday, July 21, 2005 12:02 AM
>> To: users at openswan.org
>> Subject: Re: [Openswan Users] Probelm with host reachability
>> when ipsec tunnelis operational
>>
>> Hello --
>>
>>
>>> If you are creating 'overlapping' networks, eg by having
>>>
>> 10.0.0.0/8
>>
>>> on one
>>> end, and 10.0.x.0/24 on another end, then with KLIPS this worked
>>> but with
>>> NETKEY you will need extra passthrough connections to make it work.
>>>
>>
>> This is exactly the issue I am having, but cannot seem to make the
>> passthrough connection work.  Could I ask to be pointed to an
>> example, or more information about this (or a link to TFM)?
>>
>> My network topology is like this:
>>
>> 10.0.0.0/8   <------> 10.x.0.0/16
>> 10.254.0.1               10.x.0.1
>> core gateway          remote gateway(s) running NAT
>>
>> All systems are running openswan 2.2 on Debian (Sarge) with kernel
>> 2.6.8.  The "core" gateway is working fine, and can route to all of
>> the "remote" gateways perfectly using openswan.  However, when I
>> bring up openswan on the remote gateway it swallows all of
>> 10.0.0.0/8, and does not exclude the class 16 as (I believe) it
>> should.  This means that the remote gateway cannot talk to any
>> machine on its own subnet; those packets appear on the external
>> interface instead.  As there are no routes doing this, I assume
>> openswan is grabbing them.
>>
>> My remote gateway's ipsec.conf:
>>
>> conn to_core
>>      type=tunnel
>>      left=MY_EXTERNAL_IP
>>      leftsubnet=10.3.0.0/16
>>      leftnexthop=%defaultroute
>>      right=CORE_EXTERNAL_IP
>>      rightsubnet=10.0.0.0/8
>>      rightnexthop=%defaultroute
>>      spibase=0x200
>>      esp=3des-md5-96
>>      keyexchange=ike
>>      pfs=yes
>>      auth=esp
>>      auto=start
>>      authby=secret
>>      ikelifetime=8h
>>      keylife=8h
>>
>> My remote gateway's routing table:
>>
>> remote:/# ip route show
>> MY_EXTERNAL_IP/22 dev eth0  proto kernel  scope link  src
>> MY_EXTERNAL_IP
>> 10.3.0.0/16 dev eth1  proto kernel  scope link  src 10.3.0.1
>> 10.0.0.0/8 via MY_NEXT_HOP dev eth0
>> default via MY_NEXT_HOP dev eth0
>>
>> Thanks,
>> Greg
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

More information about the Users mailing list