[Openswan Users] Questions relating to OpenSWAN and Fedora Core 3

Jeff Simmons jsimmons at goblin.punk.net
Thu Mar 3 15:30:15 CET 2005

I've been through the documentation, but I'm getting somewhat lost, since I'm 
using Fedora Core 3 (which uses OpenSWAN with the native 2.6 kernel 
extensions) and some things seem to be broken. So I thought I'd try to ask a 
couple of questions to get myself started.

I'm building a fairly complex box with two external interfaces, one for normal 
traffic and one just for VPNs.

I'd assumed that OpenSWAN did some rudimentary routing, given the existence of 
the 'next hop' specification in the connection configurations, but that 
doesn't seem to be the case. What is the purpose of the 'next hop' 
specification, should it be routing packets out of EXT2 instead of the 
default route of EXT1 if I tell it to? Is this broken using the native 2.6 
kernel, should I be looking at using IP (IPRoute2) to route all traffic out 

Where, and what, is the virtual interface ipsec0? It shows up in the log 
files, but as a KLIPS message, and the native ipsec extensions don't (I 
think) use KLIPS. Is this also broken in Fedora Core 3? Should it be visible 
to ifconfig, tcpdump, iptables, etc.? Where does it fit into the food chain 
of outgoing packets? (The diagram by Poltorak in the HowTo is a bit ambiguous 
as to where iptables processes packest.)

Stack - iptables(ipsec0) - ipsec - iptables(ext1) - EXT1 - Internet?

Sorry to be so imprecise, but I'm just getting started on this project, and 
info on the difference (even a pointer to online docs, I've been looking) 
between PLUTO/KLIPS and PLUTO/native 2.6 code would be greatly appreciated.

Jeff Simmons                                   jsimmons at goblin.punk.net
     Simmons Consulting - Network Engineering, Administration, Security

"You guys, I don't hear any noise. Are you sure you're doing it right?"
	-- My Life With The Thrill Kill Kult

More information about the Users mailing list