[Openswan Users] Openswan or general routing problem?

Andy Coates andy at corenetwork.co.uk
Mon Apr 24 11:36:18 CEST 2006


users-bounces at openswan.org wrote:
> On Fri, 21 Apr 2006, Andy Coates wrote:
> 
>> got no problems in general now setting up IPSEC connections, and the
>> machine itself has no problem communicating with hosts on the remote
>> subnets, but the machine is also acting as a gateway and other
>> machines using this gateway can't seem to reach the remote subnets.
> 
> this usually means either ip forwarding is not enabled, or
> the NAT rules are rewriting (and breaking) the IPsec packets.

Hi Paul,

IP forwarding is definitely enabled, the gateway has other working non-IPSEC
connections that the internal machines can route through and access (NAT'd)

I can't tell if iptables is breaking the packets, my limited debug knowledge
has just seen packets being coming in on an internal interface, re-written
as <internal IP> to <gateway ip> and then sent out over the external
interface but not encrypted and not over the IPSEC tunnel.

>> So from the gateway itself all packets to the remote subnet via the
>> IPSEC tunnel are fine, but any packets being forwarded on seem to
>> take the routing entry setup by the IPSEC connection literally, i.e.
>> 
>> internal ~ # netstat -rn | grep 192.168.2
>> 192.168.2.0     80.253.107.129  255.255.255.0 UG       0 0
>         0 eth0
> 
> Are you using klips? If you use netkey, routes do not matter.
> If you use klips, then a route ito ipsecX should be there.

Netkey - the output above was just as an example to show what the packets
"seem" to be doing (i.e. just routing normally)

> Does your gateway work with a seperate conn? Or did you use a
> leftsourceip= ? 

It only has one outbound interface if that's what you mean?   I tried adding
in the leftsourceip anyway and it didn't make much difference.

>> Am I missing something really simple I've just not thought about? 
>> The only difference between this and a working gateway I also have
>> is that it uses the older kernel and freeswan and has the ipsec0
>> interface. 
> 
> You might need different firewall settings if you had ipsecX
> interfaces before. 

The firewall rules obviously don't mention ipsec0 anymore, and now reference
eth0 (which annoyed me a little as its hard to do specific ipsec firewall
rules).  

I just can't understand why packets it sends out itself to the remote
network are fine, but any routed via it don't seem to be - unless it is
iptables NAT related (but I'd expect that to be a common problem people
face?).

Thanks,
Andy.






More information about the Users mailing list