[Openswan Users] route question
Paul Wouters
paul at xelerance.com
Tue Jun 21 22:52:02 CEST 2005
On Tue, 21 Jun 2005, Jason Sigurdur wrote:
> Hi, I added a catch all vpn that anything not 10/8 would be such as:
>
> conn S16toSGW
> left=172.31.0.16
> leftsubnet=10.16.0.0/16
> right=172.31.0.1
> rightsubnet=0.0.0.0/0
> auto = start
>
> Now I get the following entries in my routing table ?
> 0.0.0.0 172.31.0.1 128.0.0.0 UG 0 0 0 ipsec0
> 128.0.0.0 172.31.0.1 128.0.0.0 UG 0 0 0 ipsec0
This the "routing hack".
In order to catch ANY packets from anywhere to 10.16.0.0/16, KLIPS needs to
inspect ANY packet to see if it matches. The way to get KLIPS to inspect a
packet is to route it into an ipseC device. this is (still) done is not
by source/destination routing, though some suggestions have come up, all with
their own set of problems, to use iproute2 for this.
Since we cannot put the default route into ipsecN, we create a bogus route
with a longer prefix match to take preference over the default route. So 0.0.0.0/0
is split into two subnets, 0.0.0.0/1 and 128.0.0.0/1. These two routes together
still catch all packets, like the default route, but have a higher priority then
the actual default route, since it's a longer prefix. When KLIPS has processed
the packets, it will send them on to the real default gateway.
So, these routes are only added if there is a conn with subnet=0.0.0.0/0 (which is
also the case when enabling Opportunstic Encryption).
With NETKEY, these routes are not needed, since NETKEY manages to see every single
packet through other kernel hooks (which again have their own set of problems, one
being that it sees them after other packet handlers (the ones tcpdump uses) sees
them. It also causes some interference with SNAT/DNAT POST/PRE iptables.
Paul
More information about the Users
mailing list