[Openswan Users] Should be a simple routing question
GregScott at InfraSupportEtc.com
Tue Aug 22 10:03:13 EDT 2006
I am scratching my head on this one. I have two sites, siteA and siteB.
This will grow but for now it's two sites.
Site A is 10.13.1.0/24. Site A is the right side.
Site B is 10.15.1.0/24. Site B is left.
Site A also has other subnets behind it, so I set up the tunnel like
Left 10.15.1.0/24 <------> Right 10.0.0.0/8.
Site B Site A
The tunnel works great - both sides see each ohter just fine, thanks to
lots of help from people in this list.
Here's the issue. When I traceroute from the siteB router at 10.15.1.1
to anything else in SiteB, it tries to route via SiteA! Very strange
Well, it kind of makes sense because my tunnel definition evidently told
it to behave this way. I was wondering if there is a way to make the
local route happen before the tunnel route?
Here are the routes from 10.15.1.1 as they are right now.
[root at roseville-fw gregs]# /sbin/ip route show
220.127.116.11/29 dev eth0 proto kernel scope link src xx.xx.xx.33
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
10.10.10.0/24 dev eth2 proto kernel scope link src 10.10.10.187
10.15.1.0/24 dev eth1 proto kernel scope link src 10.15.1.1
169.254.0.0/16 dev eth2 scope link
10.0.0.0/8 dev eth0 scope link src 10.15.1.1
default via xx.xx.xx.38 dev eth0
[root at roseville-fw gregs]#
Aren't the more specific routes supposed to work before the more general
routes? But the behavior I see is that the IPSEC route happens even
before local routes.
I have a couple of workarounds.
1 - I can set up tunnels specific to all subnets and forget about
2 - I could mark local packets with iptables and route them through
another routing table.
But maybe there is something easier I am missing?
I am using fc5 with kernel 18.104.22.168 with Netkey and Openswan 2.4.4.
My conn definition from site B looks like this:
# Identical to Roseville-Lakeville except for the rightsubnet.
# Left security gateway, subnet behind it, next hop toward
# Right security gateway, subnet behind it, next hop toward
Here is what sites.conf looks like:
# RSA 2192 bits roseville-fw Thu Jul 20 18:47:26 2006
# RSA 2192 bits lakeville-fw Wed Jul 19 21:09:32 2006
- Greg Scott
More information about the Users