[Openswan Users] Tunnel setup limitation

Alain RICHARD alain.richard at equation.fr
Fri Jun 1 05:18:21 EDT 2007 

Le 31 mai 07 à 16:02, Paul Wouters a écrit :

> On Thu, 31 May 2007, Alain RICHARD wrote:
>
>> My problem is that if I try to establish the following tunnels :
>>
>> a) 192.168.50.0/24 - GW1 - GW2 - 192.168.1.0/24
>> b) 192.168.60.0/24 - GW1 - GW3 - 192.168.1.0/24
>
> So how would the ipsec server (wehther it be kernel or userland) know
> whether these were two "different" 192.168.1.0/24's or whether they
> would be the "same"?
>

The destination network, 192.168.1.0/24 is the same network. On that  
private network I have setup two gateways (GW2 and GW3), using two  
different internet access (so getting two differents public addresses  
and two separate bandwiths).

>> I get a problem because GW1 refuse to establish tunnel b when  
>> tunnel a is
>> already up (and if reverse is true : it refuse to establish the  
>> tunnel b when
>> tunnel a is already up).
>
> Yes, because a subnet can only live on 1 place.
>
>> In my case, I am using netkey and not klips. I don't know if this  
>> is a
>> limitation of klips, but this is not a limitation of netkey as it  
>> is possible
>> to set this up using setkey -P or ip xfrm policy.
>
> Yes, you can define complete bogus policies manually with those tools.

On the GW1 station, I use only one internet connection,  so basically  
the 192.168.1.0/24 network is routed thru the eth0 interface. On the  
policy side, it is legal  and not bogus to get a policy to tunnel  
192.168.50.0/24 <-> 192.168.1.0/24 thru GW2 and 192.168.60.0/24 <->  
192.168.1.0/24 thru GW3.

The problem is that pluto checks that in that case the 192.168.1.0  
network is routed thru the same dev (eth0) AND the same public  
destination address. I think that a check on the same dev is enough,  
don't you think ?

>> So it seams to be big limitation in pluto.
>
> It's not a bug - it's a security feature.
>
>> I have opened a bug# 800 on http://bugs.xelerance.com.
>
> I think what you really want to do, is setup two different host-host
> IPsec tunnels, and use something like GRE inside.
> See: http://www.xelerance.com/talks/lk2003/
>

I will look at theses papers. GRE is probably a way to go that I need  
to investigate.

> Paul

Thank you,

-- 
Alain RICHARD <mailto:alain.richard at equation.fr>
EQUATION SA <http://www.equation.fr/>
Tel : +33 477 79 48 00     Fax : +33 477 79 48 01
E-Liance, Opérateur des entreprises et collectivités,
Liaisons Fibre optique, SDSL et ADSL <http://www.e-liance.fr>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070601/267dec63/attachment-0001.html

More information about the Users mailing list