[Openswan Users] Proxy arp for virtual IP address

Marcus Better marcus at better.se
Fri Jun 3 18:46:05 CEST 2005


I have a setup pretty much as described in
with minor changes, so I'll repeat it here:

My internal network is I have the following hosts:

gw.example.com                  D-link router (Internet side)                     Same D-link router (LAN side)                     Openswan gateway (responder)
                  (Fedora Core 3, Openswan U2.3.1/K2.6.11-1.14_FC3                   Openswan client (initiator)
                 (Debian testing, i386, openswan 2.3.1-1).

The router is configured to pass all incoming traffic from the Internet
to the gateway, which has only one Ethernet interface.

The hosts on the local network have their default route
pointing to the Openswan gateway

Now I start a host-to-net tunnel from the client (, public
IP) and try to ping some hosts on the internal network, say This works OK.

Next I want to give the client a virtual IP address from the internal
network, say (The idea is to use the
subnet for virtual IPs.) I do this by adding "leftsubnet" and
"leftsourceip" to the client's ipsec.conf, so it looks like:
config setup

conn %default
    rightca="C=SE, O=..."

conn mytunnel
    leftid=marcus at example.com

With this setup, I can no longer ping from the client to internal hosts,
except for the Openswan gateway (I can also ping the client from the gateway.)

I think this has to do with ARP. Using tcpdump on the Openswan gateway I
can see the following (pinging from the client

17:37:09.599006 IP > icmp 64: echo request seq 1
17:37:09.599121 IP > icmp 64: echo request seq 1
17:37:09.600512 arp who-has tell

Naturally, the interal host ( thinks that the virtual IP is
on the local network and tries ARP to discover the hardware address, but
there are no answers.

I have the sysctl
  net.ipv4.conf.eth0.proxy_arp = 1
so I thought the Openswan gateway would automatically proxy arp the
virtual IP, but apparently this doesn't happen.

Moreover, it doesn't help if I add a proxy arp entry manually using
  arp -sD eth0 pub

So, the questions are:

* How can I make the Openswan box do proxy arp?

* Is it a problem that the local subnet contains the
virtual IP address? If so, how can I "reserve" let's say a /28 subnet
out of my local network for virtual IP:s without overlapping?


More information about the Users mailing list