[Openswan Users] Problem with 2 tunnels to same network
Paul Wouters
paul at xelerance.com
Wed Dec 6 01:49:30 EST 2006
On Tue, 5 Dec 2006, Douglas Leece wrote:
> I have been a freeswan users for years and never really had a lot of issues with it, unfortunatly I have found Openswan to be a bit more difficult to get going. The Freeswan config I am replacing required a tunnel from LAN A to LAN B and that was easy to replicate. The problem seems to come in with the second tunnel that goes from the external IP of LAN B's gateway to LAN A. We use this second tunnel to replicate DNS zone data from LAN A to the Gateway serving LAN B.
What does ipsec verify say? Does it complain about rp_filter or
redirects that should be changed?
What happens if you add "failureshunt=clear" to config setup? It's not the
right solution, but it might give us an idea where the problem is.
> I have rolled back to 2.4-33 on Fedora because I can't seem to get Openswan to run on any version of 2.6 using netkey. We ran for years with almost no issues using 2.4.18 and superfreeswan 1.99 on Debian and I used these configs as the basis for the new build because I thought we where just upgrading.
Let's hope klips and netkey merge soon.....
> Can Openswan support such a configuration? There are two seperate routes on the machines one for the lan to lan and the other for lan to gateway external IP. Both tunnels negotiate and connect fine but the traffic from LAN A to LAN B does not flow when the gateway to LAN A tunnel is also up. When the gateway to LAN tunnel comes down then it seems to work fine.
It should work.
> On a second note, is there any version of OpenSwan that works on a current Linux distro with out patching the kernel? I have been through memory leaks, daemons crashing, mismatched tunnels and terrrible service trying to use various version of 2.6 kernel and the openswan tools. I like Debian but I can certainly use RHEL or even Unbutu if there is a trouble free build out there, I am quite concerned that patching 2.6 with klips might cause problems with upgrades later so if I can stay with a stock kernel that would be a lot better.
If you have issues with 2.4.7, please let us know so we can address them.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list