[Openswan Users] Routing issue?

Frank Schmirler osusers at schmirler.de
Mon Jul 7 04:10:54 EDT 2008

On Fri, 4 Jul 2008 13:31:23 -0400 (EDT), Paul Wouters wrote
> On Fri, 4 Jul 2008, Mikhail Yu. Kononets wrote:
> > I've set up an ipsec/l2tp gateway using klips. When a client connects, 
> > openswan sets up a host route to this client with a route destination of 
> > ipsec1 interface. The result is that all non-ipsec traffic from the 
> > gateway to client is also directed to the ipsec1 interface (iptraf shows 
> > that) and does not come to destination. This looks strange especially 
> > when a client is behind some NAT box, so that the openswan sets this 
> > routing rule not to a client but to the NAT box thus breaking non-ipsec 
> > traffic on the way from the gateway to NAT box.
> Normally, when an IPsec  connection between two hosts is up, no plaintext
> traffic is allowed between those hosts. However, for a NAT-T 
> connection, this should not be the case.

I can confirm the behaviour Mikhail describes. For KLIPS you need a
passthrough connection to get plaintext traffic out (see e.g.
http://lists.openswan.org/pipermail/users/2005-December/007763.html). AFAIR
it's always been that way for KLIPS.


More information about the Users mailing list