[Openswan Users] Openswan or general routing problem?
Andy Coates
andy at corenetwork.co.uk
Mon Apr 24 11:36:18 CEST 2006
users-bounces at openswan.org wrote:
> On Fri, 21 Apr 2006, Andy Coates wrote:
>
>> got no problems in general now setting up IPSEC connections, and the
>> machine itself has no problem communicating with hosts on the remote
>> subnets, but the machine is also acting as a gateway and other
>> machines using this gateway can't seem to reach the remote subnets.
>
> this usually means either ip forwarding is not enabled, or
> the NAT rules are rewriting (and breaking) the IPsec packets.
Hi Paul,
IP forwarding is definitely enabled, the gateway has other working non-IPSEC
connections that the internal machines can route through and access (NAT'd)
I can't tell if iptables is breaking the packets, my limited debug knowledge
has just seen packets being coming in on an internal interface, re-written
as <internal IP> to <gateway ip> and then sent out over the external
interface but not encrypted and not over the IPSEC tunnel.
>> So from the gateway itself all packets to the remote subnet via the
>> IPSEC tunnel are fine, but any packets being forwarded on seem to
>> take the routing entry setup by the IPSEC connection literally, i.e.
>>
>> internal ~ # netstat -rn | grep 192.168.2
>> 192.168.2.0 80.253.107.129 255.255.255.0 UG 0 0
> 0 eth0
>
> Are you using klips? If you use netkey, routes do not matter.
> If you use klips, then a route ito ipsecX should be there.
Netkey - the output above was just as an example to show what the packets
"seem" to be doing (i.e. just routing normally)
> Does your gateway work with a seperate conn? Or did you use a
> leftsourceip= ?
It only has one outbound interface if that's what you mean? I tried adding
in the leftsourceip anyway and it didn't make much difference.
>> Am I missing something really simple I've just not thought about?
>> The only difference between this and a working gateway I also have
>> is that it uses the older kernel and freeswan and has the ipsec0
>> interface.
>
> You might need different firewall settings if you had ipsecX
> interfaces before.
The firewall rules obviously don't mention ipsec0 anymore, and now reference
eth0 (which annoyed me a little as its hard to do specific ipsec firewall
rules).
I just can't understand why packets it sends out itself to the remote
network are fine, but any routed via it don't seem to be - unless it is
iptables NAT related (but I'd expect that to be a common problem people
face?).
Thanks,
Andy.
More information about the Users
mailing list