[Openswan Users] routing issues with netkey

Wed Apr 2 02:03:40 EDT 2008

Jacco, I may have run into a similar issue.  I wrote it up and emailed
to the list a few hours ago.  In my case, the output from ip xfrm policy
seems to look similar to earlier versions.  Were you able to get your
setup working?

Thanks

- Greg Scott

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Jacco Kok
Sent: Monday, March 10, 2008 11:30 AM
To: users at openswan.org
Subject: [Openswan Users] routing issues with netkey

LS, has anyone come across routing problems with the netkey
implemetation under fedora? I use fc7 with kernel 2.6.23.15-80.fc7 and
openswan-2.4.7-3.fc7

The setup is a host-to-network vpn between the host and the gateway are
2 natting devices:

172.16.42.0/24
    |
172.16.42.1
172.20.1.50 gw
    |
NAT (10.0.53.20 <-> 172.20.1.50)
    |
    |
NAT (10.80.6.2 <-> 10.0.13.71)
    |
10.80.6.2 host

I've setup the vpn using X509 certificates and the log says the vpn is
established. However ip xfrm policy show tells that the vpn is between
10.0.13.71 and 172.16.42.0/24 _updown also added a route to 10.0.13.71.

When sending traffic to 10.0.13.71 from the 172.16.42.0/24 I see indeed
ESP traffic to the host but the host never answers because the address
of the unpacked packets is 10.0.13.71 and not 10.80.6.2.

I tried to set the policy by hand and it looks ok but does not work. Can
anyone shed some light on how openswan/netkey handles routing and how to
get this setup going?

Thnx.

--
Try to relax and enjoy the crisis.
                -- Ashleigh Brilliant

Jacco Kok
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155