[Openswan Users] Routing issue?
Mikhail Yu. Kononets
mkononets at gmail.com
Fri Jul 4 14:20:19 EDT 2008
Paul Wouters wrote:
> On Fri, 4 Jul 2008, Mikhail Yu. Kononets wrote:
>
>> I've set up an ipsec/l2tp gateway using klips. When a client connects,
>> openswan sets up a host route to this client with a route destination of
>> ipsec1 interface. The result is that all non-ipsec traffic from the
>> gateway to client is also directed to the ipsec1 interface (iptraf shows
>> that) and does not come to destination. This looks strange especially
>> when a client is behind some NAT box, so that the openswan sets this
>> routing rule not to a client but to the NAT box thus breaking non-ipsec
>> traffic on the way from the gateway to NAT box. In my case ssh
>> connection was frozen and ping did not work all the time while ipsec
>> connection was up. iptraf running on the gateway showed that non-ipsec
>> traffic arrived on the gateway at the eth corresponding interface but
>> leaved the gateway on the ipsec interface and did not reach its
>> destination. If i removed this rule on the gateway by hand, non-secured
>> traffic started to go without any problem.
>
> Can you try using failureshunt=passthrough in config setup ?
no effect (in a "conn xxx" section).
>> Is that an intended behaviour of openswan or there could be some
>> misconfiguration?
>
> Normally, when an IPsec connection between two hosts is up, no plaintext
> traffic is allowed between those hosts. However, for a NAT-T connection,
> this should not be the case.
i supposed so...
Mikhail
P.S. openswan 2.4.12, kernel 2.6.23.17.
More information about the Users
mailing list