[Openswan Users] Routing issue?
paul at xelerance.com
Fri Jul 4 13:31:23 EDT 2008
On Fri, 4 Jul 2008, Mikhail Yu. Kononets wrote:
> I've set up an ipsec/l2tp gateway using klips. When a client connects,
> openswan sets up a host route to this client with a route destination of
> ipsec1 interface. The result is that all non-ipsec traffic from the
> gateway to client is also directed to the ipsec1 interface (iptraf shows
> that) and does not come to destination. This looks strange especially
> when a client is behind some NAT box, so that the openswan sets this
> routing rule not to a client but to the NAT box thus breaking non-ipsec
> traffic on the way from the gateway to NAT box. In my case ssh
> connection was frozen and ping did not work all the time while ipsec
> connection was up. iptraf running on the gateway showed that non-ipsec
> traffic arrived on the gateway at the eth corresponding interface but
> leaved the gateway on the ipsec interface and did not reach its
> destination. If i removed this rule on the gateway by hand, non-secured
> traffic started to go without any problem.
Can you try using failureshunt=passthrough in config setup ?
> Is that an intended behaviour of openswan or there could be some
Normally, when an IPsec connection between two hosts is up, no plaintext
traffic is allowed between those hosts. However, for a NAT-T connection,
this should not be the case.
More information about the Users