[Openswan Users]
Paul Wouters
paul at xelerance.com
Fri Nov 11 19:23:56 CET 2005
On Fri, 11 Nov 2005, Alex wrote:
> We would like all traffic from the remote subnet to go through the tunnel,
> including Internet traffic. When the tunnel comes up, it works as expected.
> All traffic goes through the tunnel.
Okay.
> Then, we experience two challenges.
>
> 1. We can no longer access the external interface of the left gateway from
> the Internet. When doing a tcpdump, we see our SSH requests coming in from
> the Internet but we see the replies being sent through the IPSec tunnel. We
> can only access the left gateway through the IPSec tunnel from the right side.
Correct. You might be able to do some tuning using 'ip rule' statements. But
this appears to be an artifact when using KLIPS in some scenario's.
> After the tunnel comes up, this is the routing table. Is this normal? Is
> that 128.0.0.0 route for opportunistic encryption? What is that?
KLIPS "grabs" packets by openswan creating routes into the ipsecX devices.
So as soon as a packet is routed into ipsecX, it is processed by KLIPS.
For a tunnel that is either an IP extrusion or otherwise contains a
0.0.0.0/0 on either end, we need to (well really we need to use ip rule..)
create a route that throws all packets into KLIPS. We cannot add a route
for 0.0.0.0/0 because that already exists. So we add two routes covering
boht halfs of 0.0.0.0/0, being 0.0.0.0/1 and 120.0.0.0/1. This is what
has been called the 'routing hack'. It is basically a default route into
klips that is more specific then the default route itself.
> 2. After several hours, around 12, the tunnel will drop and it does not
> restart automatically. The tunnel has to be restarted manually and we see the
> following errors in the log.
> Nov 9 13:49:43 state pluto[8973]: packet from 1.1.1.2:4500: initial Main Mode
> message received on 2.2.2.2:4500 but no connection has been authorized with
> policy=RSASIG
That is odd, did the conn change policy? Are you sure the config file represents
the real scenario. If so, I'm interested in seeing an 'ipsecf barf' (please post
url, not the barf)
> Why would it tell me no connection has been authorized with policy=RSASIG when
> I have it explicitly stated in the ipsec.conf?
It seems the conenction got deleted (eg ipsec auto --delete connname). If no one
issued such a command, something REALLY bad happened, and pluto forgot a connection.
I have never seen anything like this, hence my request for an ipsec barf output
that should show what has happened.
> Openswan 1.0.7 on both gateways (One gateway behind NATed PIX).
Oh. I take it back. Please do not give me any ipsec barf output. You can try and
upgrade to openswan 1.0.10, but openswan-1 is no longer actively supported, except
for vulnerability fixes, and even that will stop at the end of THIS year.
Paul
More information about the Users
mailing list