[Openswan Users] Help required - routing ipsec (native Kernel 2.6) on a multi-homed host?

Paul Wouters paul at xelerance.com
Sat Nov 10 00:24:01 EST 2007


On Sat, 10 Nov 2007, Alex Ip wrote:

>
> 	In a nutshell, I would prefer not to have to override the default
> routing for anything, but instead tell ipsec to send/receive the encrypted
> packets on a different interface. Is it possible to do this with the native
> 2.6 stack?

KLIPS works by routing packets into the ipsecX devices. Then KLIPS polcies
pick up the right packets, and the others are either dropped, or send via
the interfaces coupled with the ipsecX device (depending on the eroute for
the packet, and the failureshunt parameter.

NETKEY "steals" packets from the stack (even after the point where tcpdump
can see them) and encrypts them and sends them onward. If there is no
matching policy, the packets should pass through unchanged/unhindered.

> I should also mention a complication in that the next hop for
> each of the two pppoe interfaces is dynamic and is sometimes the same
> between the two, so overriding the ipsec leftnexthop/rightnexthop definition
> doesn't help me.

You might be better of setting up GRE tunnels and creating a single virtual
interface over all lines, and doing some ipsec tunneling within those.

But prob the easiest solution will be to use advanced routing (ip route and
ip rule) to send packets into the klips interface(s).

Paul


More information about the Users mailing list