[Openswan Users] Probelm with host reachability when ipsec
tunnelis operational
Greg McGuire
greg at greganem.com
Thu Jul 21 11:12:32 CEST 2005
Zoltan --
Yes, I believe you are right; I've determined essentially the same
thing: the ipsec tunnel is not ignoring the local subnet when it
grabs packets to send down the tunnel: everything in 10.0.0.0/8 gets
caught, instead of 10.0.0.0/8 minus 10.x.0.0/16 (the local subnet).
I know there must be a way around this that doesn't involve patching
netfilter, although I'll give that a try if nobody else has a
suggestion for a simpler fix in openswan.
Just so I'm clear, this is not the classic "I can't ping the ipsec
gateway from the other gateway / subnet". I've already got that
working fine. The case we're having trouble with is the
"overlapping" networks setup, as Paul called them: 10.0.0.0/8 on one
end to 10.x.0.0/16 on the other.
Thanks,
Greg
On Jul 21, 2005, at 3:45 AM, Gömöri Zoltán wrote:
> Hi,
>
> I'm getting exactly the same problem as you. I asked in several
> form on the
> list but hasn't got any real answer.
> I've no real solution to this but I managed to have a workaround.
> I've tracked down that the problem on your External machines route
> handling.
> You have two routes in your routing table in your case looks like
> this:
>
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.x.0.0 * 255.255.0.0 U 0 0 0 Local If
> 10.0.0.0 m.n.o.p 255.0.0.0 UG 0 0 0 Remote If
>
> Due to the IP standards the first route has priority over the
> second because
> of the netmask length, but (I gess because of a bug somewhere) in
> the IPSEC
> implementation somehow the second one has prority over the first one.
> What I've done to make it work, I built the vannila kernel with the
> ROUTE
> target patch from the netfilter pom, and added the following
> iptables rule
> into the remote gateway's firewall config:
>
> iptables -t mangle -A OUTPUT -s 10.x.0.1 -d 10.x.0.0/16 -j ROUTE --oif
> <Local If> --continue
>
> This solved the problem, that the core and the remote network can
> communicate with each other, but I'm still not able to access the
> remote
> gateway's local address from the remote network.
> I know, that is not a real solution, but it seams to work.
>
> Actually I realy would like to see if somebody solves this issue.
> I hope that you could understand what I've written because of my
> english and
> the realy little knowledge in the IP/IPSEC business.
>
> Zoltan
>
>
>> -----Original Message-----
>> From: users-bounces at openswan.org
>> [mailto:users-bounces at openswan.org] On Behalf Of Greg McGuire
>> Sent: Thursday, July 21, 2005 12:02 AM
>> To: users at openswan.org
>> Subject: Re: [Openswan Users] Probelm with host reachability
>> when ipsec tunnelis operational
>>
>> Hello --
>>
>>
>>> If you are creating 'overlapping' networks, eg by having
>>>
>> 10.0.0.0/8
>>
>>> on one
>>> end, and 10.0.x.0/24 on another end, then with KLIPS this worked
>>> but with
>>> NETKEY you will need extra passthrough connections to make it work.
>>>
>>
>> This is exactly the issue I am having, but cannot seem to make the
>> passthrough connection work. Could I ask to be pointed to an
>> example, or more information about this (or a link to TFM)?
>>
>> My network topology is like this:
>>
>> 10.0.0.0/8 <------> 10.x.0.0/16
>> 10.254.0.1 10.x.0.1
>> core gateway remote gateway(s) running NAT
>>
>> All systems are running openswan 2.2 on Debian (Sarge) with kernel
>> 2.6.8. The "core" gateway is working fine, and can route to all of
>> the "remote" gateways perfectly using openswan. However, when I
>> bring up openswan on the remote gateway it swallows all of
>> 10.0.0.0/8, and does not exclude the class 16 as (I believe) it
>> should. This means that the remote gateway cannot talk to any
>> machine on its own subnet; those packets appear on the external
>> interface instead. As there are no routes doing this, I assume
>> openswan is grabbing them.
>>
>> My remote gateway's ipsec.conf:
>>
>> conn to_core
>> type=tunnel
>> left=MY_EXTERNAL_IP
>> leftsubnet=10.3.0.0/16
>> leftnexthop=%defaultroute
>> right=CORE_EXTERNAL_IP
>> rightsubnet=10.0.0.0/8
>> rightnexthop=%defaultroute
>> spibase=0x200
>> esp=3des-md5-96
>> keyexchange=ike
>> pfs=yes
>> auth=esp
>> auto=start
>> authby=secret
>> ikelifetime=8h
>> keylife=8h
>>
>> My remote gateway's routing table:
>>
>> remote:/# ip route show
>> MY_EXTERNAL_IP/22 dev eth0 proto kernel scope link src
>> MY_EXTERNAL_IP
>> 10.3.0.0/16 dev eth1 proto kernel scope link src 10.3.0.1
>> 10.0.0.0/8 via MY_NEXT_HOP dev eth0
>> default via MY_NEXT_HOP dev eth0
>>
>> Thanks,
>> Greg
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
More information about the Users
mailing list