[Openswan Users] Routing problem with NETKEY

Jani Joki demi at futuremark.com
Fri Aug 4 03:02:07 EDT 2006

Quoting Paul Wouters (paul at xelerance.com):
> On Thu, 3 Aug 2006, Jani Joki wrote:
> > The tunnel comes up fine. However, I can only send packets from the left
> > gateway ( to the right network ( Any
> > packets sent from the left network to the right network go through normal
> > routing and are passed along unencrypted.
> Are you sure you're not NATing packets that needed encryption on left?

I'm sure. The /24 behind left is a full routable network. I have no
need to do any NAT for any packets.

> Can you put an 'ipsec barf' output somewhere on website and give us the

Which portion of the barf are you interested in? It does contain
information I'd rather not disclose, such as my firewall rules.

> link to it? Do you have ip forwarding enabled on left?

Yes I do. The left gateway has been serving my office network for
years already.

> netkey does some weird things with packets, and some behaviour changed some
> where in 2.6.17 as well. I am not entirely sure of the netkey flow at this
> point. If you use KLIPS, the flow of packets is more clear. You can
> see a digram in openswan-2.x.y/docs/diagrams/klips-packetflow.jpg

I have no great love for netkey - I just used it as it came with FC5
standard and thought it would make things easier. I understand that netkey
and klips cannot be used simultaneously - are there any instructiosn
anywhere on how to remove netkey and go to klips? Do I just need to rebuild
a kernel that supports klips rather than netkey?

> > To make things really bizarre, any icmp traffic sent from the right
> > network to the left network goes through the tunnel as it should. Same
> > is true for the other direction. Only udp and tcp traffic (the only
> > protocols I tried) fail to go through the tunnel as they should.
> So this looks more like you are running into MTU issues. Try lowering
> the MTU on the internal interfaces of both ends to say 1300.

Hrm. My internet connection is a full 100Mbs connection - would it
not affect my throughput if I lower the MTU on all packets? Is there
a way to just lower the MTU for the packets destined for the tunnel
rather than all packets?

        Jani Joki        Senior Technical Manager   Futuremark Corporation
jani.joki at futuremark.com     +358 20 759 8264         www.futuremark.com

More information about the Users mailing list