[Openswan Users] Routing issue?

Mikhail Yu. Kononets mkononets at gmail.com
Mon Jul 7 10:45:24 EDT 2008


Frank Schmirler wrote:
> On Mon, 07 Jul 2008 12:59:30 +0400, Mikhail Yu. Kononets wrote
>> Frank Schmirler wrote:
>>> I can confirm the behaviour Mikhail describes. For KLIPS you need a
>>> passthrough connection to get plaintext traffic out (see e.g.
>>> http://lists.openswan.org/pipermail/users/2005-December/007763.html).
>> I read that message but did not understand why it could help. And 
>> still i've decided to try it out. What i've seen is that it brings 
>> up a route to "0.0.0.0 via leftnexthop dev ipsec1". But, openswan 
>> still sets up a host route to the NAT box through which the 
>> ipsec/l2tp connection is established. This host route appears more 
>> specific than that 0.0.0.0 route, so that plaintext traffic from the 
>> ipsec/l2tp gateway to the NAT box is blocked all the time when 
>> l2tp/ipsec connection is up through the NAT box.
> 
> The point is not the additional route (yes, I get this route, too). As you
> already pointed out, the more specific host route to the NAT box will deliver
> to the ipsec interface anyway. The point is that openswan no longer drops
> non-L2TP packets, as the less specific passthrough connection catches and
> accepts them. Maybe this has already been fixed in 2.5/2.6
> (http://lists.openswan.org/pipermail/users/2006-January/007936.html)?
> 
> In the meantime I also tried the failureshunt=passthrough directive Paul
> suggested. Unfortunately it doesn't work here either. Would have been the far
> more elegant solution. With the passthrough connection to 0.0.0.0/0 you loose
> the separation between encrypted and plaintext traffic. All the Internet
> traffic is routed through the ipsec interface. I haven't investigated if it is
> possible to keep these routes from being created. They are not needed (you can
> delete them manually, the plaintext packets keep flowing).

Thanks for help and explanations. Now everything works well. Actually i 
didn't set up a passthrough connection properly.

Thanks again.

Mikhail.


More information about the Users mailing list