[Openswan Users] Easy Routing Question

Andy Gay andy at andynet.net
Mon May 14 22:51:55 EDT 2007


Jae - check out these threads on the same subject:
http://lists.openswan.org/pipermail/users/2006-August/010409.html
http://lists.openswan.org/pipermail/users/2006-August/010463.html
http://lists.openswan.org/pipermail/users/2006-August/010472.html

A quick fix for your case - you need to run 2 commands once your tunnel
is up:
ip xfrm policy add dir in src 10.20.108.0/24 dst 10.20.108.0/24
ip xfrm policy add dir out src 10.20.108.0/24 dst 10.20.108.0/24

It's quite simple to use a leftupdown= setting to define a custom updown
script and run those commands from that script.

This is getting to be a real FAQ. Does anyone know how to use this
mystical passthrough conn approach to solve this? Seems everyone who's
tried just reports how it failed to have any effect...

- Andy


On Mon, 2007-05-14 at 14:13 -0700, Jae Chang wrote:
> Hi Paul... thanks for the pointer. however, adding the passthrough 
> connection has not made any difference. i added the passthrough 
> connection on the gateway with the 10.20.108.0/24 local network. 
> however, local network traffic is still going over the secure tunnel, 
> instead of going thru the local interface.
> 
> i must be missing something?! thanks!
> 
> jae
> 
> Paul Wouters wrote:
> > On Mon, 14 May 2007, Jae Chang wrote:
> >
> >   
> >> I am converting an old freeswan gateway to openswan. I ran into this
> >> issue, which is different between the 2 versions.
> >>
> >> The gateway's local interface: 10.20.108.0/24
> >>
> >> An ipsec tunnel is configured with rightsubnet=10.0.0.0/8 (corporate
> >> network).
> >>
> >> Freeswan worked the way you would expect. Send all local traffic to the
> >> local interface. Everything else with a private ip 10.x.y.z., send thru
> >> the tunnel.
> >>
> >> Surprisingly, Openswan is now sending all traffic to the local network,
> >> thru the secure tunnel! The local network does not seem to have
> >> priority, in this case.
> >>
> >> If i do "% ip route", it shows the local network with higher priority
> >> than the secure tunnel. I can't understand why this would not work the
> >> way you would expect? Is there something I am missing with Openswan?
> >>
> >> Any info is greatly appreciated!!
> >>     
> >
> > You are probably using netkey, not klips, in which case you need to
> > exclude your local lan if it overlaps with a tunnel by adding a passthrough
> > connection.
> >
> > conn passthrough
> > 	left=gatewayip
> > 	leftsubnet=10.20.108.0/24
> > 	right=0.0.0.0
> > 	rightsubnet=0.0.0.0/0
> > 	auto=route
> > 	authby=never
> > 	type=passthrough
> >
> > Paul
> >   
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



More information about the Users mailing list