[Openswan Users] Routing issue?

Mikhail Yu. Kononets mkononets at gmail.com
Fri Jul 4 14:20:19 EDT 2008

Paul Wouters wrote:
> On Fri, 4 Jul 2008, Mikhail Yu. Kononets wrote:
>> I've set up an ipsec/l2tp gateway using klips. When a client connects, 
>> openswan sets up a host route to this client with a route destination of 
>> ipsec1 interface. The result is that all non-ipsec traffic from the 
>> gateway to client is also directed to the ipsec1 interface (iptraf shows 
>> that) and does not come to destination. This looks strange especially 
>> when a client is behind some NAT box, so that the openswan sets this 
>> routing rule not to a client but to the NAT box thus breaking non-ipsec 
>> traffic on the way from the gateway to NAT box. In my case ssh 
>> connection was frozen and ping did not work all the time while ipsec 
>> connection was up. iptraf running on the gateway showed that non-ipsec 
>> traffic arrived on the gateway at the eth corresponding interface but 
>> leaved the gateway on the ipsec interface and did not reach its 
>> destination. If i removed this rule on the gateway by hand, non-secured 
>> traffic started to go without any problem.
> Can you try using failureshunt=passthrough in config setup ?
no effect (in a "conn xxx" section).

>> Is that an intended behaviour of openswan or there could be some 
>> misconfiguration? 
> Normally, when an IPsec  connection between two hosts is up, no plaintext
> traffic is allowed between those hosts. However, for a NAT-T connection,
> this should not be the case.
i supposed so...


P.S. openswan 2.4.12, kernel

More information about the Users mailing list