[Openswan Users] KLIPS eroute selection question

Vassil Panayotov vassil.panayotov at gmail.com
Thu Mar 8 02:51:02 EST 2007 

Hi,

I have a question regarding the eroute selection in KLIPS. We have a big
network and we want to build a sort of hierarchical VPN network. We have
many branch offices that are subordinate to a regional office and all
regional offices are subordinate to the central office.

Example address plan:
Branch Office1 - 10.2.10.0/24
Branch Office2 - 10.2.11.0/24

Regional Office1: 10.2.0.0/16 - this network includes the network in the
regional office itself and the networks in the branch offices subordinate to
this regional office(e.g. both of the above branches are subordinate to this
one).
Regional Office2: 10.3.0.0/16 and so on...

Central Office: 10.0.0.0/16

We want to build IPsec connections like this:

                                   10.2.0.0/24
                                       |
10.2.10.0/24 ----- RBO1 =====\         |
                              |===== RRO1 =====\
10.2.11.0/24 ----- RBO2 =====/                  |======== RCO -------
10.0.0.0/24
                                                |
                               ===== RRO2 =====/
                               (net 10.3.0.0/16)

Where:
   RBO - Router Branch Office
   RRO - Router Regional Office
   RCO - Router Central Office
   "=" - IPsec tunnel
   "-" - Connection to LAN

We want to build the net this way in order the RROs to be able to enforce
policies on branch offices interconnections and RCO to enforce policies on
Regional Offices interconnections.

But we have problems because eroute is selected based on source IP first.
For example:
eroute branch office:
84         10.2.10.0/24       -> 0.0.0.0/0          => tun0x10c2 at X.X.X.X
i.e. we want all traffic to be forwarded through the tunnel to the RRO. No
problems here.

eroute regional office:
108        0.0.0.0/0          -> 10.2.10.0/24       => tun0x1012 at X.X.X.X (to
branch office)
299        10.2.0.0/16        -> 10.0.0.0/8         => tun0x1014 at X.X.X.X (to
the central and other Regional Offices)

The problem that I see is with this eroutes. Let see what happens when an
user from the Regional Office 1 LAN  want to send packet to the branch
office.
For example:
10.2.0.1 -> 10.2.10.1

The route is selected based on the best matched source address first, so the
KLIPS tries to send the packet to the 10.2.0.0/16        ->
10.0.0.0/8eroute, instead of
0.0.0.0/0          -> 10.2.10.0/24. So the packet is sent to Central Office
and not to Branch Office.

Is there way to override this eroute selection algorithm?

Thank you for your patience :).

Best Regards,
Vassil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070308/685aa556/attachment-0001.html

More information about the Users mailing list