[Openswan Users] How to exclude local traffic when left/rightsubnet=0.0.0.0/0

Andy fs at globalnetit.com
Sat Oct 15 03:41:29 CEST 2005


I have a bunch of remote routers that need to send all their non-local
traffic through a tunnel to a central gateway. Their configuration
simply has leftsubnet=0.0.0.0/0 and rightsubnet=<local network>.

Pedantically, that would mean that ALL traffic, even local stuff on the
LAN itself (e.g. a local device sending an ICMP echo to the router's
address) will match the policy and get put into the tunnel.

Until recently, these routers were running 2.4.20 with KLIPS and
Openswan 1.0.9, and somehow such local traffic got magically excluded
from the ipsec policy. Now I'm using newer boxes with 2.6.13 and NETKEY,
Openswan 2.3.1, and find that once the ipsec tunnel is configured, all
local traffic is dropped. I'm guessing that NETKEY is more "pedantic"
about this than KLIPS was.

Technically I guess this behavior is correct, but it's sure nice to be
able to ping your local gateway.... So I need to exclude the local
traffic from the policy somehow.

I tried this, and (surprisingly!) it worked - say the local LAN is
192.168.10.0/30, run these commands:
 ip xfrm policy add dir in src 192.168.10.0/30 dst 192.168.10.0/30
 ip xfrm policy add dir out src 192.168.10.0/30 dst 192.168.10.0/30

I'm guessing I succeeded in adding a "null" policy for local traffic by
doing that, and because it's more specific than the policies with
src/dst 0.0.0.0/0 it will match first, sort of like how routing matches
the longest prefix. But I can't seem to find any notes about the way the
NETKEY SPD works so I can be sure of that, Can anyone confirm that's
what happened here? If it is, I can use it in a custom updown script. Or
is there a better way?


-- 
Andy <fs at globalnetit.com>



More information about the Users mailing list