[Openswan Users] openswan and _updown (quagga)
Brian Candler
B.Candler at pobox.com
Tue Mar 14 11:20:50 CET 2006
On Tue, Mar 14, 2006 at 11:12:10AM +0100, Fabio wrote:
> Each gateway has ipsec.conf 2 connection defined: example gateway A has:
> conn A-B
> ...
> left=192.168.3.2
> right=192.168.3.3
> leftsubnet=192.168.100.0/24
> rightsubnet=192.168.101.0/24
> ...
> conn A-C
> ...
> left=192.168.1.2
> right=192.168.1.1
> leftsubnet=192.168.100.0/24
> rightsubnet=192.168.102.0/24
> ...
>
> Problem: when all connection are UP, it's ok, example: ping from a client of
> gateway C and a client of gateway B ended successfully. If a connection go
> down, quagga updates routes correctly but VPN connection doesn't work,
> example: ping ping from a client of gateway C and a client of gateway B have
> to cross gateway A but ping doesn't reach gateway C.
I expect that's because the ping has a source of 192.168.102.X and a
destination of 192.168.101.Y, but the tunnels from C to A and from A to B do
not match those combinations of source and destination, and therefore will
not carry them.
The generic way to solve this problem is to use GRE or IP-IP tunnels
protected by IPSEC *transport* mode. This is documented in RFC 3884. In this
case, the security policy protects traffic between the GRE/IP-IP tunnel
endpoints, and does not care about the original source or destination IP
addresses of the encapsulated packets.
Whether it is possible to set this up using Openswan I don't know, as I've
never tried to use transport mode with it. I think it will work with
racoon/ipsec-tools.
Regards,
Brian.
More information about the Users
mailing list