[Openswan Users] Should be a simple routing question

Tue Aug 22 11:58:56 EDT 2006

On Tue, 2006-08-22 at 09:03 -0500, Greg Scott wrote:
> Hello - 
>  
> I am scratching my head on this one.  I have two sites, siteA and siteB.
> This will grow but for now it's two sites.  
>  
> Site A is 10.13.1.0/24.  Site A is the right side.
> Site B is 10.15.1.0/24.  Site B is left.  
> 
> Site A also has other subnets behind it, so I set up the tunnel like
> this:
> 
> Left 10.15.1.0/24 <------> Right 10.0.0.0/8.
>      Site B                      Site A
> 
> The tunnel works great - both sides see each ohter just fine, thanks to
> lots of help from people in this list.  
> 
> Here's the issue.  When I traceroute from the siteB router at 10.15.1.1
> to anything else in SiteB, it tries to route via SiteA!  Very strange
> indeed!
> 
> Well, it kind of makes sense because my tunnel definition evidently told
> it to behave this way.  I was wondering if there is a way to make the
> local route happen before the tunnel route?

I don't think this is a routing issue, it's to do with IPsec policy.
Your policy says anything with source address 10.15.1.0/24 and
destination 10.0.0.0/8 should be sent through the tunnel.

Try doing this on the siteB router:

ip xfrm policy add dir in src 10.15.1.0/24 dst 10.15.1.0/24
ip xfrm policy add dir out src 10.15.1.0/24 dst 10.15.1.0/24

That will add some more specific policies for local traffic.

I believe there's a way to do that using a passthrough conn as well, I'm
not certain about the syntax for that.

> 
> Here are the routes from 10.15.1.1 as they are right now.  
> 
> [root at roseville-fw gregs]# /sbin/ip route show
> 71.216.115.32/29 dev eth0  proto kernel  scope link  src xx.xx.xx.33 
> 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2 
> 10.10.10.0/24 dev eth2  proto kernel  scope link  src 10.10.10.187 
> 10.15.1.0/24 dev eth1  proto kernel  scope link  src 10.15.1.1 
> 169.254.0.0/16 dev eth2  scope link 
> 10.0.0.0/8 dev eth0  scope link  src 10.15.1.1 
> default via xx.xx.xx.38 dev eth0 
> [root at roseville-fw gregs]# 
> 
> Aren't the more specific routes supposed to work before the more general
> routes?  But the behavior I see is that the IPSEC route happens even
> before local routes. 
> 
> I have a couple of workarounds.  
> 
> 1 - I can set up tunnels specific to all subnets and forget about
> 10.0.0.0/8.
> 2 - I could mark local packets with iptables and route them through
> another routing table.
> 
> But maybe there is something easier I am missing?
> 
> I am using fc5 with kernel 2.6.17.1 with Netkey and Openswan 2.4.4.
> 
> My conn definition from site B looks like this:
> 
> conn Roseville-Everywhere
>         # Identical to Roseville-Lakeville except for the rightsubnet.
>         type=tunnel
>         #
>         # Left security gateway, subnet behind it, next hop toward
> right.
>         #
>         also=Roseville
>         leftsubnet=10.15.1.0/24
>         #
>         # Right security gateway, subnet behind it, next hop toward
> left.
>         #
>         also=Lakeville
>         rightsubnet=10.0.0.0/8
>         auto=start
> 
> include /etc/ipsec.d/sites.conf
> 
> Here is what sites.conf looks like:
> 
> conn Roseville
>         left=xx.xx.xx.33
>         leftnexthop=xx.xx.xx.38
>         leftsourceip=10.15.1.1
>         leftid=@roseville.local
>         # RSA 2192 bits   roseville-fw   Thu Jul 20 18:47:26 2006
>         leftrsasigkey=0sAQ...
> 
> conn Lakeville
>         right=yy.yy.yy.154
>         rightnexthop=yy.yy.yy.153
>         rightsourceip=10.13.1.1
>         rightid=@lakeville.local
>         # RSA 2192 bits   lakeville-fw   Wed Jul 19 21:09:32 2006
>         rightrsasigkey=0sAQNb...
>         #
> 
> Thanks
> 
> - Greg Scott
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 