[Openswan Users] Routing issue?

Paul Wouters paul at xelerance.com
Fri Jul 4 13:31:23 EDT 2008


On Fri, 4 Jul 2008, Mikhail Yu. Kononets wrote:

> I've set up an ipsec/l2tp gateway using klips. When a client connects, 
> openswan sets up a host route to this client with a route destination of 
> ipsec1 interface. The result is that all non-ipsec traffic from the 
> gateway to client is also directed to the ipsec1 interface (iptraf shows 
> that) and does not come to destination. This looks strange especially 
> when a client is behind some NAT box, so that the openswan sets this 
> routing rule not to a client but to the NAT box thus breaking non-ipsec 
> traffic on the way from the gateway to NAT box. In my case ssh 
> connection was frozen and ping did not work all the time while ipsec 
> connection was up. iptraf running on the gateway showed that non-ipsec 
> traffic arrived on the gateway at the eth corresponding interface but 
> leaved the gateway on the ipsec interface and did not reach its 
> destination. If i removed this rule on the gateway by hand, non-secured 
> traffic started to go without any problem.

Can you try using failureshunt=passthrough in config setup ?

> Is that an intended behaviour of openswan or there could be some 
> misconfiguration? 

Normally, when an IPsec  connection between two hosts is up, no plaintext
traffic is allowed between those hosts. However, for a NAT-T connection,
this should not be the case.

Paul


More information about the Users mailing list