[Openswan Users] Routing doesn't route with Openswan U2.6.09 and Fedora 9

Paul Wouters paul at xelerance.com
Tue Dec 2 11:51:46 EST 2008 

On Tue, 2 Dec 2008, Greg Scott wrote:

> At the HQ site, there are two Linux IPSEC firewall systems, named fw1 and fw2.  They are a failover pair, and are identical in
> every relevant way, except the following:
>  
> fw1 is running Fedora 6 with IPSEC version U2.4.5 - this was the system Paul W encouraged me to update.  
> fw2 is running Fedora 9 with IPSEC version U2.6.09.  This is the new version. 

Later test also seems to suggest the 2.4.x system used KLIPS and the 2.6.x system used NETKEY...

> This turned into a novel.  The whole problem boils down to this:  No matter what I do, my new HQ firewall will not forward
> packets for the Janesville PNT LAN via the Janesville PNT router. 

You should upgrade the 2.6. system, as there have been some NETKEY fixes with policies that did
not get deleted.

> 1 - How do I look at IPSEC routes these days?  ipsec look on fw1, the old version, shows me what I expect.  ipsec look on the
> new version tells me nothing.  Is there a nifty command or tool that can show me how packets will really route?
>
> 2 - How do I manipulate IPSEC routes?  In particular, if I take down an IPSEC tunnel, how to I make sure the routes from that
> tunnel are really gone?  How do I look at routes before and after? 

ip xfrm policy and ip xfrm state

> 3 - I just downloaded a newer version of IPSEC from souceforge.  I think it's maybe a week old.  Is what I described above a
> known problem with the version that came bundled with fc9 and should I remove the fc9 IPSEC and install this new Sourceforge
> version?

Don't. You do not need ipsec-tools at all. It is not used by openswan. It used to be used only
to clear the kernel using setkey, but that is now done directly with netlink.

You might be running in the difference on "longest prefix match" behaviour between klips
and netkey. klips routed the packets based on longest prefix match, while netkey has
some other ordering. Therefor if you have tunnels like 10.1.1.0/24 <-> 10.0.0.0/8, this
worked fine on klips, but for netkey you need to exclude 10.1.1.0/24 from being sent
over the tunnel to the 10.0.0.0/8 network. There should be a passthrough example
in /etc/ipsec.d/examples/

Paul

More information about the Users mailing list