[Openswan Users] Ping goes down tunnel but ALSO onto local subnet

Guy Bullen-Smith guybs at iafrica.com
Thu May 26 19:22:03 CEST 2005


When I ping a client (10.0.0.4) it goes down the tunnel - and back - 
correctly,
but it _also_ goes out in plaintext on the local net.  Why?

I've tried Openswan 1.0.6 and 2.3.1 on linux-2.4.21-rmk1 (ARM9).

 From ethereal running on 192.168.1.17 (the peer):
Source                Destination           Protocol Info
192.168.1.18          192.168.1.17          ESP      ESP (SPI=0xb5f29833)
192.168.1.18          10.0.0.4              ICMP     Echo (ping) request
192.168.1.17          192.168.1.18          ESP      ESP (SPI=0x4662bd77)

klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:eth0
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:136 id:15072 frag_off:0 
ttl:64 proto:50 chk:48112 saddr:192.168.1.18 daddr:192.168.1.17

# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
192.168.1.17    192.168.1.17    255.255.255.255 UGH       0 0          0 
ipsec0
192.168.1.16    0.0.0.0         255.255.255.248 U         0 0          0 
eth0
192.168.1.16    0.0.0.0         255.255.255.248 U         0 0          0 
ipsec0
10.0.0.0        192.168.1.17    255.0.0.0       UG        0 0          0 
ipsec0
0.0.0.0         192.168.1.17    0.0.0.0         UG        0 0          0 
eth0
#
If I skip the 0.0.0.0 route - no change.
If I drop the other eth0 route nothing goes out.

pluto --ctlbase "/tmp/pluto" --secretsfile "/tmp/secrets" --uniqueids
whack --ctlbase "/tmp/pluto" --listen
whack --ctlbase "/tmp/pluto" --name tunn01  --encrypt --tunnel \
    --ps --ike "3des-sha-modp1024" --ikelifetime 1800  --rekeywindow "540" \
    --keyingtries "0"  --esp "3des-sha1" --ipseclifetime 28800   \
    --updown "ipsec_updown.sh"  \
    --host 192.168.1.18  --to --host 192.168.1.17 --client 10.0.0.0/8
whack --ctlbase "/tmp/pluto" --route tunn01
whack --ctlbase "/tmp/pluto" --name tunn01 --initiate

# more /proc/net/ipsec_eroute
38         192.168.1.18/32    -> 10.0.0.0/8         => 
tun0x1006 at 192.168.1.17
#

The ipsec_updown.sh script above is empty.  All routes are set before
starting pluto.

Thanks, Guy




More information about the Users mailing list