[Openswan Users] Routing issue?
Frank Schmirler
osusers at schmirler.de
Mon Jul 7 04:10:54 EDT 2008
On Fri, 4 Jul 2008 13:31:23 -0400 (EDT), Paul Wouters wrote
> On Fri, 4 Jul 2008, Mikhail Yu. Kononets wrote:
>
> > I've set up an ipsec/l2tp gateway using klips. When a client connects,
> > openswan sets up a host route to this client with a route destination of
> > ipsec1 interface. The result is that all non-ipsec traffic from the
> > gateway to client is also directed to the ipsec1 interface (iptraf shows
> > that) and does not come to destination. This looks strange especially
> > when a client is behind some NAT box, so that the openswan sets this
> > routing rule not to a client but to the NAT box thus breaking non-ipsec
> > traffic on the way from the gateway to NAT box.
>
> Normally, when an IPsec connection between two hosts is up, no plaintext
> traffic is allowed between those hosts. However, for a NAT-T
> connection, this should not be the case.
I can confirm the behaviour Mikhail describes. For KLIPS you need a
passthrough connection to get plaintext traffic out (see e.g.
http://lists.openswan.org/pipermail/users/2005-December/007763.html). AFAIR
it's always been that way for KLIPS.
Frank
More information about the Users
mailing list