[Openswan Users] eth0 connectivity lost when starting tunnel with overlaped subnet s

Philippe PAULEAU openswan at cartesis.com
Sun Feb 26 18:50:49 CET 2006


 
Hi,

This configuration with overlaping subnets was working fine with FreeSWAN /
KLIPS and ipsec0,
but now using openswan / NETKEY, starting the tunnel is braking eth0 LAN
connectivity.


                 |-------------|     internet     |-------------|
10.11.0.0/16 ----| openswan gw |------------------| openswan gw |----
10.0.0.0/8
                 |-------------|                  |-------------|
             eth0               eth1
             10.11.0.4          82.108.230.82


Tunnel established:
10.11.0.0/16===82.108.230.82...195.115.85.130===10.0.0.0/8


When starting ipsec, the tunnel works fine, but then eth0 does not respond
anymore.
Because local eth0 subnet is inside remote LAN subnet used for tunnel, it
tries to
route 10.11.0.0/16 traffic inside the tunnel via eth1 interface, instead of
sending
it in clear on eth0 interface, so never reach its local destination.

Strange behavior because eth0 should always considered as a priority, as
also the
route for /16 subnet is more specific than /8


root ~ #route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
82.108.230.80   *               255.255.255.240 U     0      0        0 eth1
10.11.0.0       *               255.255.0.0     U     0      0        0 eth0
default         82.108.230.81   0.0.0.0         UG    0      0        0 eth1

root ~ #ip route
82.108.230.80/28 dev eth1  proto kernel  scope link  src 82.108.230.85
10.11.0.0/16     dev eth0  proto kernel  scope link  src 10.11.0.4
default via 82.108.230.81 dev eth1
 
root ~ #ping 10.11.0.2
PING 10.11.0.2 (10.11.0.2) 56(84) bytes of data.
64 bytes from 10.11.0.2: icmp_seq=1 ttl=128 time=3.55 ms
64 bytes from 10.11.0.2: icmp_seq=2 ttl=128 time=0.191 ms
64 bytes from 10.11.0.2: icmp_seq=3 ttl=128 time=0.209 ms

--- 10.11.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
rtt min/avg/max/mdev = 0.191/1.317/3.551/1.579 ms

root ~ #service ipsec start
ipsec_setup: Starting Openswan IPsec U2.4.4/K2.6.15.4...

#1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
#2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
isakmp#1}
#2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
#2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x346cb6b8
<0x7ffdadc9 xfrm=3DES_0-HMAC_SHA1 IPCOMP=>0x0000c8ec <0x0000907b NATD=none
DPD=none}


root ~ #ping 10.11.0.2
PING 10.11.0.2 (10.11.0.2) 56(84) bytes of data.

--- 10.11.0.2 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7013ms

root ~ #route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
82.108.230.80   *               255.255.255.240 U     0      0        0 eth1
10.11.0.0       *               255.255.0.0     U     0      0        0 eth0
10.0.0.0        82.108.230.81   255.0.0.0       UG    0      0        0 eth1
default         82.108.230.81   0.0.0.0         UG    0      0        0 eth1

root ~ #ip route
82.108.230.80/28 dev eth1  proto kernel  scope link  src 82.108.230.85
10.11.0.0/16 dev eth0  proto kernel  scope link  src 10.11.0.4
10.0.0.0/8 via 82.108.230.81 dev eth1
default via 82.108.230.81 dev eth1 

root ~ #service ipsec stop
ipsec_setup: Stopping Openswan IPsec...

root ~ #ping 10.11.0.2    
PING 10.11.0.2 (10.11.0.2) 56(84) bytes of data.
64 bytes from 10.11.0.2: icmp_seq=1 ttl=128 time=0.253 ms
64 bytes from 10.11.0.2: icmp_seq=2 ttl=128 time=0.173 ms

--- 10.11.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.173/0.213/0.253/0.040 ms



I should not be the only one with this configuration, so any help would be
appreciated.

Thanks folks
Regards

Philippe

***********************************************************************

CARTESIS http://www.cartesis.com
Great performances start with confidence (TM)

The information transmitted is intended  only for the  person or entity
to which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by  persons  or
entities other  than  the  intended  recipient  is  prohibited.  If you
received this in error,  please  contact  the  sender  and  delete  the
material from any computer.

Vous recevez ce message car vous avez communique votre adresse email au
moins une fois a  Cartesis.  Conformement  a  l'article  34  de  la loi
Informatique et Libertes du 6 janvier 1978, vous  disposez  d'un  droit
d'opposition, d'acces et de rectification des donnees  vous  concernant
soit par courrier a l'adresse: Cartesis - Legal Department,  23-25  rue
de Berri, 75008 Paris soit par email: legal at cartesis.com.

***********************************************************************



More information about the Users mailing list