[Openswan Users] Policy routing with NETKEY fails

Paul Wouters paul at xelerance.com
Mon Aug 20 12:46:05 EDT 2007


On Mon, 20 Aug 2007, Benny Amorsen wrote:

> I have been testing a setup with OpenSWAN and NetKey, along with
> policy routing.

> Now it is decided that traffic from the 10.2.0.0/24 to 10.3.0.0/24
> should NOT go through the tunnel to 10.3.0.0/24, rather it should be
> sent through a router D with address 10.1.0.2/24. Just the thing that
> policy routing was invented for. Therefore:

For KLIPS yes, for NETKEY no. Did we mention we like our ipsecX interfaces?

> However, this doesn't actually work. Somehow the NETKEY stack grabs
> the packets destined for 10.3.0.0/24, no matter where they are being
> policy routed.

You will need to add a passthrough conn in ipsec.conf to ensure netkey does
not take those packets. Check the archives for 'conn passthrough' examples.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list