[Openswan Users] Ping goes down tunnel but ALSO onto local subnet
Guy Bullen-Smith
guybs at iafrica.com
Thu May 26 19:22:03 CEST 2005
When I ping a client (10.0.0.4) it goes down the tunnel - and back -
correctly,
but it _also_ goes out in plaintext on the local net. Why?
I've tried Openswan 1.0.6 and 2.3.1 on linux-2.4.21-rmk1 (ARM9).
From ethereal running on 192.168.1.17 (the peer):
Source Destination Protocol Info
192.168.1.18 192.168.1.17 ESP ESP (SPI=0xb5f29833)
192.168.1.18 10.0.0.4 ICMP Echo (ping) request
192.168.1.17 192.168.1.18 ESP ESP (SPI=0x4662bd77)
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:eth0
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:136 id:15072 frag_off:0
ttl:64 proto:50 chk:48112 saddr:192.168.1.18 daddr:192.168.1.17
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.1.17 192.168.1.17 255.255.255.255 UGH 0 0 0
ipsec0
192.168.1.16 0.0.0.0 255.255.255.248 U 0 0 0
eth0
192.168.1.16 0.0.0.0 255.255.255.248 U 0 0 0
ipsec0
10.0.0.0 192.168.1.17 255.0.0.0 UG 0 0 0
ipsec0
0.0.0.0 192.168.1.17 0.0.0.0 UG 0 0 0
eth0
#
If I skip the 0.0.0.0 route - no change.
If I drop the other eth0 route nothing goes out.
pluto --ctlbase "/tmp/pluto" --secretsfile "/tmp/secrets" --uniqueids
whack --ctlbase "/tmp/pluto" --listen
whack --ctlbase "/tmp/pluto" --name tunn01 --encrypt --tunnel \
--ps --ike "3des-sha-modp1024" --ikelifetime 1800 --rekeywindow "540" \
--keyingtries "0" --esp "3des-sha1" --ipseclifetime 28800 \
--updown "ipsec_updown.sh" \
--host 192.168.1.18 --to --host 192.168.1.17 --client 10.0.0.0/8
whack --ctlbase "/tmp/pluto" --route tunn01
whack --ctlbase "/tmp/pluto" --name tunn01 --initiate
# more /proc/net/ipsec_eroute
38 192.168.1.18/32 -> 10.0.0.0/8 =>
tun0x1006 at 192.168.1.17
#
The ipsec_updown.sh script above is empty. All routes are set before
starting pluto.
Thanks, Guy
More information about the Users
mailing list