[Openswan Users] eth0 connectivity lost using overlaped subnets
Philippe PAULEAU
openswan at cartesis.com
Sun Feb 26 21:02:02 CET 2006
Hi,
The following configuration with overlaping subnets was working fine with
FreeSWAN / KLIPS and ipsec0,
but now using openswan / NETKEY, starting the tunnel is braking eth0 LAN
connectivity.
|-----------| internet |------------|
10.11.0.0/16--|openswan gw|------------|openswan gw |--10.0.0.0/8
|-----------| |------------|
eth0 eth1
10.11.0.4 82.108.230.82
Tunnel established:
10.11.0.0/16===82.108.230.82...195.115.85.130===10.0.0.0/8
When starting ipsec, the tunnel works fine, but then eth0 does not respond
anymore.
Because local eth0 subnet is inside remote LAN subnet used for tunnel, it
tries to route 10.11.0.0/16 traffic inside the tunnel via eth1 interface,
instead of sending it in clear on eth0 interface, so never reach its local
destination.
Strange behavior because eth0 should always considered as a priority, as
also the route for /16 subnet is more specific than /8
root ~ #route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
82.108.230.80 * 255.255.255.240 U 0 0 0 eth1
10.11.0.0 * 255.255.0.0 U 0 0 0 eth0
default 82.108.230.81 0.0.0.0 UG 0 0 0 eth1
root ~ #ip route
82.108.230.80/28 dev eth1 proto kernel scope link src 82.108.230.85
10.11.0.0/16 dev eth0 proto kernel scope link src 10.11.0.4
default via 82.108.230.81 dev eth1
root ~ #ping 10.11.0.2
PING 10.11.0.2 (10.11.0.2) 56(84) bytes of data.
64 bytes from 10.11.0.2: icmp_seq=1 ttl=128 time=3.55 ms
64 bytes from 10.11.0.2: icmp_seq=2 ttl=128 time=0.191 ms
64 bytes from 10.11.0.2: icmp_seq=3 ttl=128 time=0.209 ms
--- 10.11.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2007ms rtt
min/avg/max/mdev = 0.191/1.317/3.551/1.579 ms
root ~ #service ipsec start
ipsec_setup: Starting Openswan IPsec U2.4.4/K2.6.15.4...
#1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
#2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
isakmp#1}
#2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
#2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x346cb6b8
<0x7ffdadc9 xfrm=3DES_0-HMAC_SHA1 IPCOMP=>0x0000c8ec <0x0000907b NATD=none
DPD=none}
root ~ #ping 10.11.0.2
PING 10.11.0.2 (10.11.0.2) 56(84) bytes of data.
--- 10.11.0.2 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7013ms
root ~ #route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
82.108.230.80 * 255.255.255.240 U 0 0 0 eth1
10.11.0.0 * 255.255.0.0 U 0 0 0 eth0
10.0.0.0 82.108.230.81 255.0.0.0 UG 0 0 0 eth1
default 82.108.230.81 0.0.0.0 UG 0 0 0 eth1
root ~ #ip route
82.108.230.80/28 dev eth1 proto kernel scope link src 82.108.230.85
10.11.0.0/16 dev eth0 proto kernel scope link src 10.11.0.4
10.0.0.0/8 via 82.108.230.81 dev eth1
default via 82.108.230.81 dev eth1
root ~ #service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
root ~ #ping 10.11.0.2
PING 10.11.0.2 (10.11.0.2) 56(84) bytes of data.
64 bytes from 10.11.0.2: icmp_seq=1 ttl=128 time=0.253 ms
64 bytes from 10.11.0.2: icmp_seq=2 ttl=128 time=0.173 ms
--- 10.11.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt
min/avg/max/mdev = 0.173/0.213/0.253/0.040 ms
I should not be the only one with this configuration, so any help would be
appreciated.
Thanks folks
Regards
Philippe
***********************************************************************
CARTESIS http://www.cartesis.com
Great performances start with confidence (TM)
The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and delete the
material from any computer.
Vous recevez ce message car vous avez communique votre adresse email au
moins une fois a Cartesis. Conformement a l'article 34 de la loi
Informatique et Libertes du 6 janvier 1978, vous disposez d'un droit
d'opposition, d'acces et de rectification des donnees vous concernant
soit par courrier a l'adresse: Cartesis - Legal Department, 23-25 rue
de Berri, 75008 Paris soit par email: legal at cartesis.com.
***********************************************************************
More information about the Users
mailing list