[Openswan Users] Please help with routing bypassing tunnel

Guy Bullen-Smith guybs at iafrica.com
Wed Mar 9 09:16:14 CET 2005 

Hi All

I have a test setup (described below) that successfully builds a tunnel.

If I ping from one end to the other it sometimes goes through the tunnel
and othertimes not.  It seems to depend on the order of entries in the
routing table.

Could you please tell me what to do prevent any network traffic to
or from the endpoints other than through the tunnel (excepting ARP)?

Thanks,
Guy Bullen-Smith


192.168.1.10  Left (ARM9 device Linux-2.4.21-rmk1+openswan-1.0.6)
     |
192.168.1.1    eth1  (fedora 3 box)
10.0.0.3       eth0
     |
10.0.0.10     Right (ARM9 device Linux-2.4.21-rmk1+openswan-1.0.6)

Klips is statically linked into the kernel and I'm trying to use the
minimum set of ipsec tools.

Left is configured as follows (during booting):

tncfg --attach --virtual ipsec0 --physical eth0
eroute --add --eraf inet --src 0/0 --dst 0/0 --said %drop
ifconfig ipsec0 192.168.1.10
route add -host 10.0.0.10 gw 192.168.1.1 ipsec0
ifconfig eth0 192.168.1.10
route add -host 10.0.0.10 gw 192.168.1.1 eth0
echo "192.168.1.10 10.0.0.10 : PSK \"secret\"" >/tmp/secrets
pluto --secretsfile "/tmp/secrets" --uniqueids --ctlbase "/tmp/pluto"
whack --ctlbase "/tmp/pluto" --listen
whack --ctlbase "/tmp/pluto" --name tunnie  --encrypt --tunnel \
   --dpdaction "hold" --ps --ike "3des-sha-modp1024" \
   --ikelifetime 1800  --rekeywindow "540" --keyingtries "0"  \
   --esp "3des-sha1" --ipseclifetime 28800   --updown "ipsec_updown.sh"  \
   --host 192.168.1.10 --nexthop 192.168.1.1  \
   --to --host 10.0.0.10 --client 10.0.0.10/32
whack --ctlbase "/tmp/pluto" --name tunnie --initiate

If I now ping from Left to Right it goes through in the clear.

BUT if I change the routes from this:

Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
10.0.0.10       192.168.1.1     255.255.255.255 UGH       0 0          0 
eth0
10.0.0.10       192.168.1.1     255.255.255.255 UGH       0 0          0 
ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 
ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 
eth0

to this:

Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
10.0.0.10       192.168.1.1     255.255.255.255 UGH       0 0          0 
ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 
ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 
eth0
10.0.0.0        192.168.1.1     255.0.0.0       UG        0 0          0 
eth0
#
It goes through the tunnel.

My guess is that it's "arbitrarily" choosing eth0 over ipsec0 and I
don't know how to force it to use ipsec0 and prevent any traffic other
than ARP on eth0.  If I take out the eth0 route it starts ARPing
for 10.0.0.10 on the 192.168.1.0 subnet.  I considered using metrics
on the routes but the platform doesn't support it.  I need to ensure that
the device reliably chooses ipsec0 and also does not accept any incoming
traffic other than through the tunnel.

I'd be grateful if you could point me in the right direction.

002 "tunnie" #1: initiating Main Mode
104 "tunnie" #1: STATE_MAIN_I1: initiate
002 "tunnie" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "tunnie" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "tunnie" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "tunnie" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "tunnie" #1: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.10'
002 "tunnie" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
002 "tunnie" #1: ISAKMP SA established
004 "tunnie" #1: STATE_MAIN_I4: ISAKMP SA established
002 "tunnie" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL
122 "tunnie" #2: STATE_QUICK_I1: initiate
002 "tunnie" #2: transition from state STATE_QUICK_I1 to state 
STATE_QUICK_I2
002 "tunnie" #2: sent QI2, IPsec SA established
004 "tunnie" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
#
# eroute
0          0.0.0.0/0:0        -> 0.0.0.0/0:0        => %drop:0
0          192.168.1.10/32:0  -> 10.0.0.10/32:0     => 
tun0x1002 at 10.0.0.10:0
#
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:20:B7:00:35:58
         inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

ipsec0    Link encap:Ethernet  HWaddr 00:20:B7:00:35:58
         inet addr:192.168.1.10  Mask:255.255.255.0
         UP RUNNING NOARP  MTU:16260  Metric:1
 
lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         UP LOOPBACK RUNNING  MTU:16436  Metric:1

More information about the Users mailing list