[Openswan Users] Routing issue?
Paul Wouters
paul at xelerance.com
Fri Jul 4 13:31:23 EDT 2008
On Fri, 4 Jul 2008, Mikhail Yu. Kononets wrote:
> I've set up an ipsec/l2tp gateway using klips. When a client connects,
> openswan sets up a host route to this client with a route destination of
> ipsec1 interface. The result is that all non-ipsec traffic from the
> gateway to client is also directed to the ipsec1 interface (iptraf shows
> that) and does not come to destination. This looks strange especially
> when a client is behind some NAT box, so that the openswan sets this
> routing rule not to a client but to the NAT box thus breaking non-ipsec
> traffic on the way from the gateway to NAT box. In my case ssh
> connection was frozen and ping did not work all the time while ipsec
> connection was up. iptraf running on the gateway showed that non-ipsec
> traffic arrived on the gateway at the eth corresponding interface but
> leaved the gateway on the ipsec interface and did not reach its
> destination. If i removed this rule on the gateway by hand, non-secured
> traffic started to go without any problem.
Can you try using failureshunt=passthrough in config setup ?
> Is that an intended behaviour of openswan or there could be some
> misconfiguration?
Normally, when an IPsec connection between two hosts is up, no plaintext
traffic is allowed between those hosts. However, for a NAT-T connection,
this should not be the case.
Paul
More information about the Users
mailing list