[Openswan Users] Help required - routing ipsec (native Kernel 2.6) on a multi-homed host?

Alex Ip user001 at eatsrootsandleaves.com
Wed Nov 21 18:06:37 EST 2007


G'day Paul...

	I've had a go at setting up ip routes and ip rules using
http://linux-ip.net/html/adv-multi-internet.html as a guide, but I haven't
had any success. This is the first time I've had to use advanced routing, so
I was wondering whether you might be able give me some suggestions as to how
to mark the ipsec traffic for custom routing. Can you spot any obvious
problems with the configuration below? 

	Note that the subnets 192.168.1.0/24 on eth1 and 192.168.10.0/24 on
eth2 are not actually used as these interfaces only support pppoe on ppp0
and ppp1 respectively. The local subnet is 192.168.0.0/24 and all other
192.168.0.0/16 addresses are out on the VPN (as are the ones in the
10.0.0.0/8 address space).

Thanks in anticipation,

Alex.



Below are the relevant sections of the firewall script:

#!/bin/bash
modprobe ip_conntrack_ftp
IPTABLES="/sbin/iptables"

EXTERNAL_INTERFACE="ppp0"             # Internet-connected interface
VPN_EXTERNAL_INTERFACE="ppp1"         # Internet-connected VPN interface
EXTERNAL_IPADDR="150.101.164.102"     # Public IP address
VPN_EXTERNAL_IPADDR="150.101.223.45"  # Public VPN IP address
LOOPBACK_INTERFACE="lo"               # However your system names it
INTERNAL_NETWORK="192.168.0.0"        # The address of the internal network,
not the network address
INTERNAL_INTERFACE="eth0"             # LAN interface
INTERNAL_IPADDR="192.168.0.254"       # LAN IP address
INTERNAL_NETWORK_MASK="24"            # The internal network mask
INTERNAL_BROADCAST="192.168.0.255"    # The internal network broadcast
address
ALL_ADDRESSES="0.0.0.0/0"

#...

# Mark any IPSEC packets for custom routing
$IPTABLES -t mangle -I PREROUTING -p esp -s $VPN_EXTERNAL_IPADDR -j MARK
--set-mark 1
$IPTABLES -t mangle -I PREROUTING -p ah -s $VPN_EXTERNAL_IPADDR -j MARK
--set-mark 1
$IPTABLES -t mangle -I PREROUTING -p tcp --dport 500 -s $VPN_EXTERNAL_IPADDR
-j MARK --set-mark 1
$IPTABLES -t mangle -I PREROUTING -p udp --dport 500 -s $VPN_EXTERNAL_IPADDR
-j MARK --set-mark 1
$IPTABLES -t mangle -I PREROUTING -p tcp --dport 4500 -s
$VPN_EXTERNAL_IPADDR -j MARK --set-mark 1
$IPTABLES -t mangle -I PREROUTING -p udp --dport 4500 -s
$VPN_EXTERNAL_IPADDR -j MARK --set-mark 1

# Accept incoming ipsec packets
$IPTABLES -I INPUT -p esp -i $VPN_EXTERNAL_INTERFACE -s $ALL_ADDRESSES -d
$VPN_EXTERNAL_IPADDR -j ACCEPT
$IPTABLES -I INPUT -p ah -i $VPN_EXTERNAL_INTERFACE -s $ALL_ADDRESSES -d
$VPN_EXTERNAL_IPADDR -j ACCEPT
$IPTABLES -I INPUT -p tcp -i $VPN_EXTERNAL_INTERFACE -s $ALL_ADDRESSES -d
$VPN_EXTERNAL_IPADDR --dport 500 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $VPN_EXTERNAL_INTERFACE -s $ALL_ADDRESSES -d
$VPN_EXTERNAL_IPADDR --dport 500 -j ACCEPT
$IPTABLES -I INPUT -p tcp -i $VPN_EXTERNAL_INTERFACE -s $ALL_ADDRESSES -d
$VPN_EXTERNAL_IPADDR --dport 4500 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $VPN_EXTERNAL_INTERFACE -s $ALL_ADDRESSES -d
$VPN_EXTERNAL_IPADDR --dport 4500 -j ACCEPT

# Routing
# allow connections to other WAN subnets
$IPTABLES -A FORWARD -s $INTERNAL_NETWORK/$INTERNAL_NETWORK_MASK -d
192.168.0.0/16 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/16 -d
$INTERNAL_NETWORK/$INTERNAL_NETWORK_MASK -j ACCEPT
# Adrian's home network
$IPTABLES -A FORWARD -s 10.0.10.0/24 -d
$INTERNAL_NETWORK/$INTERNAL_NETWORK_MASK -j ACCEPT
# Alex's home network
#$IPTABLES -A FORWARD -s 10.0.0.0/24 -d 192.168.0.157/32 -j ACCEPT
#$IPTABLES -A FORWARD -s 192.168.0.157/32 -d 10.0.0.0/24 -j ACCEPT
#$IPTABLES -A FORWARD -s 10.0.0.0/24 -d 192.168.0.167/32 -j ACCEPT
#$IPTABLES -A FORWARD -s 192.168.0.167/32 -d 10.0.0.0/24 -j ACCEPT
$IPTABLES -A FORWARD -s 10.0.0.0/24 -d
$INTERNAL_NETWORK/$INTERNAL_NETWORK_MASK -j ACCEPT
$IPTABLES -A FORWARD -s $INTERNAL_NETWORK/$INTERNAL_NETWORK_MASK -d
10.0.0.0/16 -j ACCEPT

# Allow full NAT for all packets outbound on VPN interface
#$IPTABLES -t nat -A POSTROUTING -o $VPN_EXTERNAL_INTERFACE -d !
192.168.0.0/16 -j SNAT --to-source $VPN_EXTERNAL_IPADDR



And here are the routing tables and rules I've set up:

[root at mail firewall]# ip route show table main
150.101.212.16 dev ppp1  proto kernel  scope link  src 150.101.223.45
150.101.212.44 dev ppp0  proto kernel  scope link  src 150.101.164.102
192.168.192.0/24 dev ppp0  scope link
192.168.160.0/24 dev ppp0  scope link
192.168.128.0/24 dev ppp0  scope link
10.0.0.0/24 via 150.101.212.44 dev ppp0
192.168.2.0/24 dev ppp0  scope link
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.254
192.168.10.0/24 dev eth2  proto kernel  scope link  src 192.168.10.254
10.0.10.0/24 via 150.101.212.44 dev ppp0
169.254.0.0/16 dev eth2  scope link
default via 150.101.212.44 dev ppp0

[root at mail firewall]# ip route show table 1
150.101.212.16 dev ppp1  proto kernel  scope link  src 150.101.223.45
150.101.212.44 dev ppp0  proto kernel  scope link  src 150.101.164.102
192.168.192.0/24 dev ppp1  scope link
192.168.160.0/24 dev ppp1  scope link
192.168.128.0/24 dev ppp1  scope link
10.0.0.0/24 via 150.101.212.44 dev ppp0
192.168.2.0/24 dev ppp1  scope link
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.254
192.168.10.0/24 dev eth2  proto kernel  scope link  src 192.168.10.254
10.0.10.0/24 via 150.101.212.44 dev ppp0
169.254.0.0/16 dev eth2  scope link
default via 150.101.223.45 dev ppp1 

[root at mail firewall]# ip rule show
0:      from all lookup local
32765:  from all fwmark 0x1 lookup 1
32766:  from all lookup main
32767:  from all lookup default



[root at mail firewall]# uname -a
Linux mail 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686
i686 i386 GNU/Linux





-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Saturday, 10 November 2007 4:24 PM
To: Alex Ip
Cc: users at openswan.org
Subject: RE: Help required - routing ipsec (native Kernel 2.6) on a
multi-homed host?

On Sat, 10 Nov 2007, Alex Ip wrote:

>
> 	In a nutshell, I would prefer not to have to override the default 
> routing for anything, but instead tell ipsec to send/receive the 
> encrypted packets on a different interface. Is it possible to do this 
> with the native
> 2.6 stack?

KLIPS works by routing packets into the ipsecX devices. Then KLIPS polcies
pick up the right packets, and the others are either dropped, or send via
the interfaces coupled with the ipsecX device (depending on the eroute for
the packet, and the failureshunt parameter.

NETKEY "steals" packets from the stack (even after the point where tcpdump
can see them) and encrypts them and sends them onward. If there is no
matching policy, the packets should pass through unchanged/unhindered.

> I should also mention a complication in that the next hop for each of 
> the two pppoe interfaces is dynamic and is sometimes the same between 
> the two, so overriding the ipsec leftnexthop/rightnexthop definition 
> doesn't help me.

You might be better of setting up GRE tunnels and creating a single virtual
interface over all lines, and doing some ipsec tunneling within those.

But prob the easiest solution will be to use advanced routing (ip route and
ip rule) to send packets into the klips interface(s).

Paul



More information about the Users mailing list