[Openswan Users] Tunnel setup limitation

Alain RICHARD alain.richard at equation.fr
Thu May 31 08:44:33 EDT 2007


Hi,

I need to establish a VPN using this setup :


GW1 ---------- GW2--|
    |                                | 192.168.1.0/24
    |---------------GW3--|

GW1, GW2 and GW3 are IPSec gateways. GW2 and GW3 are serving the same  
intranet network, but are using two different internet lines to do it  
(for backup and load balancing reasons).

My problem is that if I try to establish the following tunnels :

a) 192.168.50.0/24 - GW1 - GW2 - 192.168.1.0/24
b) 192.168.60.0/24 - GW1 - GW3 - 192.168.1.0/24

I get a problem because GW1 refuse to establish tunnel b when tunnel  
a is already up (and if reverse is true : it refuse to establish the  
tunnel b when tunnel a is already up).

The problem is in the openswan code that consider that all tunnels  
destined to tunnel 192.168.1.0/24 must use the same public address.  
This is shown in programs/pluto/kernel.c function could_route :

static enum routability
could_route(struct connection *c)
{
...
     if (ro != NULL && !routes_agree(ro, c))
     {
         loglog(RC_LOG_SERIOUS, "cannot route -- route already in use  
for \"%s\""
             , ro->name);
         return route_impossible;  /* another connection already
                                      using the eroute */
     }
...
}

where routes_agree checks that the new session is sharing the same  
dev and nexthop that the first other tunnel that is sharing the same  
destination network.

In my case, I am using netkey and not klips. I don't know if this is  
a limitation of klips, but this is not a limitation of netkey as it  
is possible to set this up using setkey -P or ip xfrm policy.

So it seams to be big limitation in pluto.

One simple solution I have use is to setup this two tunnels :

a) 192.168.50.0/24 - GW1 - GW2 - 192.168.1.0/24
b) 192.168.60.0/24 - GW1 - GW3 - 192.168.1.0/25

this is not perfect as hosts from 192.168.60.0/24 network sees only  
host 192.168.1.1 to 192.168.1.126 on the other side, but in my case  
it was enougth.

I have opened a bug# 800 on http://bugs.xelerance.com.

Regards,

-- 
Alain RICHARD <mailto:alain.richard at equation.fr>
EQUATION SA <http://www.equation.fr/>
Tel : +33 477 79 48 00     Fax : +33 477 79 48 01
E-Liance, Opérateur des entreprises et collectivités,
Liaisons Fibre optique, SDSL et ADSL <http://www.e-liance.fr>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070531/8b745930/attachment-0001.html 


More information about the Users mailing list