[Openswan Users] Should be a simple routing question
andy at andynet.net
Tue Aug 22 11:58:56 EDT 2006
On Tue, 2006-08-22 at 09:03 -0500, Greg Scott wrote:
> Hello -
> I am scratching my head on this one. I have two sites, siteA and siteB.
> This will grow but for now it's two sites.
> Site A is 10.13.1.0/24. Site A is the right side.
> Site B is 10.15.1.0/24. Site B is left.
> Site A also has other subnets behind it, so I set up the tunnel like
> Left 10.15.1.0/24 <------> Right 10.0.0.0/8.
> Site B Site A
> The tunnel works great - both sides see each ohter just fine, thanks to
> lots of help from people in this list.
> Here's the issue. When I traceroute from the siteB router at 10.15.1.1
> to anything else in SiteB, it tries to route via SiteA! Very strange
> Well, it kind of makes sense because my tunnel definition evidently told
> it to behave this way. I was wondering if there is a way to make the
> local route happen before the tunnel route?
I don't think this is a routing issue, it's to do with IPsec policy.
Your policy says anything with source address 10.15.1.0/24 and
destination 10.0.0.0/8 should be sent through the tunnel.
Try doing this on the siteB router:
ip xfrm policy add dir in src 10.15.1.0/24 dst 10.15.1.0/24
ip xfrm policy add dir out src 10.15.1.0/24 dst 10.15.1.0/24
That will add some more specific policies for local traffic.
I believe there's a way to do that using a passthrough conn as well, I'm
not certain about the syntax for that.
> Here are the routes from 10.15.1.1 as they are right now.
> [root at roseville-fw gregs]# /sbin/ip route show
> 188.8.131.52/29 dev eth0 proto kernel scope link src xx.xx.xx.33
> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
> 10.10.10.0/24 dev eth2 proto kernel scope link src 10.10.10.187
> 10.15.1.0/24 dev eth1 proto kernel scope link src 10.15.1.1
> 169.254.0.0/16 dev eth2 scope link
> 10.0.0.0/8 dev eth0 scope link src 10.15.1.1
> default via xx.xx.xx.38 dev eth0
> [root at roseville-fw gregs]#
> Aren't the more specific routes supposed to work before the more general
> routes? But the behavior I see is that the IPSEC route happens even
> before local routes.
> I have a couple of workarounds.
> 1 - I can set up tunnels specific to all subnets and forget about
> 2 - I could mark local packets with iptables and route them through
> another routing table.
> But maybe there is something easier I am missing?
> I am using fc5 with kernel 184.108.40.206 with Netkey and Openswan 2.4.4.
> My conn definition from site B looks like this:
> conn Roseville-Everywhere
> # Identical to Roseville-Lakeville except for the rightsubnet.
> # Left security gateway, subnet behind it, next hop toward
> # Right security gateway, subnet behind it, next hop toward
> include /etc/ipsec.d/sites.conf
> Here is what sites.conf looks like:
> conn Roseville
> # RSA 2192 bits roseville-fw Thu Jul 20 18:47:26 2006
> conn Lakeville
> # RSA 2192 bits lakeville-fw Wed Jul 19 21:09:32 2006
> - Greg Scott
> Users at openswan.org
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users