[Openswan Users] Help required - routing ipsec (native Kernel 2.6) on a multi-homed host?

Alex Ip alex at trentham.net.au
Thu Nov 8 01:32:17 EST 2007


G'day all...

	I have a local VPN node with two pppoe ADSL links to the internet. I
am trying to segregate the VPN traffic from the general internet traffic
(e-mail, porn, surfing etc.) and the only way I've been able to do this is
by overriding the default route for all of the remote VPN nodes (each with a
single internet-connected interface) so that all of their outbound traffic
goes via the designated VPN-specific interface (ppp1). This works quite
nicely, but, unfortunately, it seems to create problems at the other nodes
with some protocols when they try to connect to the local node via the
general interface (ppp0) presumably because the return path is via the
VPN-specific interface (ppp1). For example, pings from the remote nodes to
the VPN interface work quite happily, but they fail when directed to the
general interface. The most pressing problem is that SMTP fails from the
remote nodes and there is apparently no easy way for me to direct that
traffic to the VPN interface instead of the default general one.

	Can anyone suggest a nicer way for me to put all ipsec traffic on
one interface using the native 2.6 kernel ipsec stack while leaving
everything else (preferably including the unencrypted node-node traffic) on
the other? It looks like I can force ipsec to use a particular interface if
I use Klips, but I am trying to avoid having to install and maintain Klips
if I can help it. Note that ipsec works just fine so long as the routing is
set up correctly beforehand. I hope I've explained the problem clearly
enough - thanks in anticipation.

Regards,

Alex.



More information about the Users mailing list