[Openswan Users] Proxy arp for virtual IP address

Marcus Better marcus at better.se
Fri Jun 3 18:46:05 CEST 2005 

Hello,

I have a setup pretty much as described in
  http://lists.openswan.org/pipermail/users/2005-January/003338.html
with minor changes, so I'll repeat it here:

My internal network is 192.168.1.0/24. I have the following hosts:

gw.example.com                  D-link router (Internet side)
192.168.1.1                     Same D-link router (LAN side)
192.168.1.2                     Openswan gateway (responder)
                  (Fedora Core 3, Openswan U2.3.1/K2.6.11-1.14_FC3
83.227.75.174                   Openswan client (initiator)
                 (Debian testing, i386, openswan 2.3.1-1).

The router is configured to pass all incoming traffic from the Internet
to the gateway 192.168.1.2, which has only one Ethernet interface.

The hosts on the local network 192.168.1.0/24 have their default route
pointing to the Openswan gateway 192.168.1.2.

Now I start a host-to-net tunnel from the client (83.227.75.174, public
IP) and try to ping some hosts on the internal network, say
192.168.1.21. This works OK.

Next I want to give the client a virtual IP address from the internal
network, say 192.168.1.241. (The idea is to use the 192.168.1.0/28
subnet for virtual IPs.) I do this by adding "leftsubnet" and
"leftsourceip" to the client's ipsec.conf, so it looks like:
--------------------------------------------
config setup
    interfaces="%defaultroute"
    nat_traversal=yes

conn %default
    authby=rsasig
    rightrsasigkey=%cert
    rightca="C=SE, O=..."
    left=%defaultroute
    leftcert=marcus.pem

conn mytunnel
    leftid=marcus at example.com
    leftsubnet=192.168.1.241/32
    leftsourceip=192.168.1.241
    right=gw.example.com
    rightsubnet=192.168.1.0/24
    rightid=@gw.example.com
    auto=start
--------------------------------------------

With this setup, I can no longer ping from the client to internal hosts,
except for the Openswan gateway 192.168.1.2. (I can also ping the client
192.168.1.241 from the gateway.)

I think this has to do with ARP. Using tcpdump on the Openswan gateway I
can see the following (pinging 192.168.1.21 from the client 192.168.1.241):

--------------------------------------------
17:37:09.599006 IP 192.168.1.241 > 192.168.1.21: icmp 64: echo request seq 1
17:37:09.599121 IP 192.168.1.241 > 192.168.1.21: icmp 64: echo request seq 1
17:37:09.600512 arp who-has 192.168.1.241 tell 192.168.1.21
--------------------------------------------

Naturally, the interal host (192.168.1.21) thinks that the virtual IP is
on the local network and tries ARP to discover the hardware address, but
there are no answers.

I have the sysctl
  net.ipv4.conf.eth0.proxy_arp = 1
so I thought the Openswan gateway would automatically proxy arp the
virtual IP, but apparently this doesn't happen.

Moreover, it doesn't help if I add a proxy arp entry manually using
  arp -sD 192.168.1.241 eth0 pub

So, the questions are:

* How can I make the Openswan box do proxy arp?

* Is it a problem that the local subnet 192.168.1.0/24 contains the
virtual IP address? If so, how can I "reserve" let's say a /28 subnet
out of my local network for virtual IP:s without overlapping?

Marcus

More information about the Users mailing list