[Openswan Users] Policy routing with NETKEY fails
Benny Amorsen
benny+usenet at amorsen.dk
Mon Aug 20 06:37:47 EDT 2007
I have been testing a setup with OpenSWAN and NetKey, along with
policy routing.
The test setup involves four routers, three of them with OpenSWAN, and
one without any encryption. All of them run Linux with NETKEY and
openswan 2.4.8. I have tried kernel versions from 2.6.18 to 2.6.22,
with no changes.
Router A is the central VPN router. It has two interfaces, and its IP
address is 10.1.0.1/24 on the unencrypted side (the encrypted side has
a public IP address which doesn't matter). The tunnels to B and C have
leftsubnet=10.0.0.0/8.
Router B and C are VPN routers. Their IP addresses on the unencrypted
side are 10.2.0.1/24 and 10.3.0.1/24, and again the encrypted side
addresses don't matter. The tunnels have rightsubnet=10.2.0.0/24 and
rightsubnet=10.3.0.0/24.
In that configuration everything just works, and traffic can flow
freely between all the networks.
Now it is decided that traffic from the 10.2.0.0/24 to 10.3.0.0/24
should NOT go through the tunnel to 10.3.0.0/24, rather it should be
sent through a router D with address 10.1.0.2/24. Just the thing that
policy routing was invented for. Therefore:
ip rule add from 10.2.0.0/24 lookup routerd
ip route add 10.3.0.0/24 via 10.1.0.2 table routerd
(Assuming a table named routerd has been made)
However, this doesn't actually work. Somehow the NETKEY stack grabs
the packets destined for 10.3.0.0/24, no matter where they are being
policy routed.
This works though:
ip route add 10.5.0.0/24 via 10.1.0.2 table routerd
-- as long as there is no IPSEC tunnel covering 10.5.0.0/24.
What am I doing wrong?
/Benny
More information about the Users
mailing list