[Openswan Users] Questions relating to OpenSWAN and Fedora Core 3
jsimmons at goblin.punk.net
Thu Mar 3 15:30:15 CET 2005
I've been through the documentation, but I'm getting somewhat lost, since I'm
using Fedora Core 3 (which uses OpenSWAN with the native 2.6 kernel
extensions) and some things seem to be broken. So I thought I'd try to ask a
couple of questions to get myself started.
I'm building a fairly complex box with two external interfaces, one for normal
traffic and one just for VPNs.
I'd assumed that OpenSWAN did some rudimentary routing, given the existence of
the 'next hop' specification in the connection configurations, but that
doesn't seem to be the case. What is the purpose of the 'next hop'
specification, should it be routing packets out of EXT2 instead of the
default route of EXT1 if I tell it to? Is this broken using the native 2.6
kernel, should I be looking at using IP (IPRoute2) to route all traffic out
Where, and what, is the virtual interface ipsec0? It shows up in the log
files, but as a KLIPS message, and the native ipsec extensions don't (I
think) use KLIPS. Is this also broken in Fedora Core 3? Should it be visible
to ifconfig, tcpdump, iptables, etc.? Where does it fit into the food chain
of outgoing packets? (The diagram by Poltorak in the HowTo is a bit ambiguous
as to where iptables processes packest.)
Stack - iptables(ipsec0) - ipsec - iptables(ext1) - EXT1 - Internet?
Sorry to be so imprecise, but I'm just getting started on this project, and
info on the difference (even a pointer to online docs, I've been looking)
between PLUTO/KLIPS and PLUTO/native 2.6 code would be greatly appreciated.
Jeff Simmons jsimmons at goblin.punk.net
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
-- My Life With The Thrill Kill Kult
More information about the Users