[Openswan Users] Routing issue?

[Mikhail Yu. Kononets]

Frank Schmirler wrote:
> On Fri, 4 Jul 2008 13:31:23 -0400 (EDT), Paul Wouters wrote
>> On Fri, 4 Jul 2008, Mikhail Yu. Kononets wrote:
>>
>>> I've set up an ipsec/l2tp gateway using klips. When a client connects, 
>>> openswan sets up a host route to this client with a route destination of 
>>> ipsec1 interface. The result is that all non-ipsec traffic from the 
>>> gateway to client is also directed to the ipsec1 interface (iptraf shows 
>>> that) and does not come to destination. This looks strange especially 
>>> when a client is behind some NAT box, so that the openswan sets this 
>>> routing rule not to a client but to the NAT box thus breaking non-ipsec 
>>> traffic on the way from the gateway to NAT box.
>> Normally, when an IPsec  connection between two hosts is up, no plaintext
>> traffic is allowed between those hosts. However, for a NAT-T 
>> connection, this should not be the case.
> 
> I can confirm the behaviour Mikhail describes. For KLIPS you need a
> passthrough connection to get plaintext traffic out (see e.g.
> http://lists.openswan.org/pipermail/users/2005-December/007763.html).

I read that message but did not understand why it could help. And still 
i've decided to try it out. What i've seen is that it brings up a route 
to "0.0.0.0 via leftnexthop dev ipsec1". But, openswan still sets up a 
host route to the NAT box through which the ipsec/l2tp connection is 
established. This host route appears more specific than that 0.0.0.0 
route, so that plaintext traffic from the ipsec/l2tp gateway to the NAT 
box is blocked all the time when l2tp/ipsec connection is up through the 
NAT box.

Mikhail.