[Openswan Users] Routing problem
Paul Wouters
paul at xelerance.com
Tue Feb 6 16:02:05 EST 2007
On Tue, 6 Feb 2007, Ludovic wrote:
> At the beginning, on my ipcop boxes, there was openswan-1.0.7 and it works
> well. Now, i'am trying to upgrade to openswan-2.4.7 but i have some
> problems.
>
> On ipcop, ipsec is running when vpn service is activated even if there is no
> configured tunnel. For example, i can create vpn between the two ipcop boxes
> and trafic goes through tunnel perfectly. Problems begin when i disable the
> tunnel. When there is no activated tunnel, i can't reach the
> 192.167.7.1interface from PC1 while i can reach it if tunnel is
> activated.
I am not sure if this is something ipcop specific. If you define a tunnel,
and load it, but not bring it up, packets for that destination will be
dropped, as we have a loaded policy that says "these packets must get
encrypred" but we have no working tunnel for them.
> A tcpdump on eth2 and ipsec0 show that, when tunnel is disebled, trafic from
> PC1 to 192.168.7.1 goes through ipsec0 interface.
So that means the tunnel is probably loaded, but not started. The term "disabled"
is a bit confusing here.
> I don't really undestand why i can reach R1 when tunnel is activated and i
> can't reach it when tunnel is disabled. Do you have any idea?
Because when active, the packets get encrypted and go through the tunnel.
When the tunnel is down, but loaded (auto=add), the packets are dropped
because they need encryption which is not available.
> Just an other question, why is route to 192.168.7.0/24 via ipsec0 inserted
> in routing table?
So that packets can be considered for encryption.
> Can i delete this route when
> tunnel is disabled and add it again when i want to enable tunnel ?
Again, I don't know what "disabled" and "enabled" mean on ipcop. You should not
delete the route, as it protects against accidental leakage of unencrypted
packets. If you want to allow plaintext packets to go through, delete
the connection (or prevent it from being loaded). If you load the connection,
it is assumed that packets will need to be encrypted.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list