[Openswan Users] Routing issue?
Frank Schmirler
osusers at schmirler.de
Mon Jul 7 10:01:25 EDT 2008
On Mon, 07 Jul 2008 12:59:30 +0400, Mikhail Yu. Kononets wrote
> Frank Schmirler wrote:
> > I can confirm the behaviour Mikhail describes. For KLIPS you need a
> > passthrough connection to get plaintext traffic out (see e.g.
> > http://lists.openswan.org/pipermail/users/2005-December/007763.html).
>
> I read that message but did not understand why it could help. And
> still i've decided to try it out. What i've seen is that it brings
> up a route to "0.0.0.0 via leftnexthop dev ipsec1". But, openswan
> still sets up a host route to the NAT box through which the
> ipsec/l2tp connection is established. This host route appears more
> specific than that 0.0.0.0 route, so that plaintext traffic from the
> ipsec/l2tp gateway to the NAT box is blocked all the time when
> l2tp/ipsec connection is up through the NAT box.
The point is not the additional route (yes, I get this route, too). As you
already pointed out, the more specific host route to the NAT box will deliver
to the ipsec interface anyway. The point is that openswan no longer drops
non-L2TP packets, as the less specific passthrough connection catches and
accepts them. Maybe this has already been fixed in 2.5/2.6
(http://lists.openswan.org/pipermail/users/2006-January/007936.html)?
In the meantime I also tried the failureshunt=passthrough directive Paul
suggested. Unfortunately it doesn't work here either. Would have been the far
more elegant solution. With the passthrough connection to 0.0.0.0/0 you loose
the separation between encrypted and plaintext traffic. All the Internet
traffic is routed through the ipsec interface. I haven't investigated if it is
possible to keep these routes from being created. They are not needed (you can
delete them manually, the plaintext packets keep flowing).
Frank
More information about the Users
mailing list