[Openswan Users] routing issues with netkey

Jacco Kok jacco at 0xcafebabe.nl
Mon Mar 10 12:30:24 EDT 2008


LS, has anyone come across routing problems with the netkey implemetation
under fedora? I use fc7 with kernel 2.6.23.15-80.fc7 and
openswan-2.4.7-3.fc7

The setup is a host-to-network vpn between the host and the gateway are 2
natting devices:

172.16.42.0/24
    |
172.16.42.1
172.20.1.50 gw
    |
NAT (10.0.53.20 <-> 172.20.1.50)
    |
    |
NAT (10.80.6.2 <-> 10.0.13.71)
    |
10.80.6.2 host

I've setup the vpn using X509 certificates and the log says the vpn is
established. However ip xfrm policy show tells that the vpn is between
10.0.13.71 and 172.16.42.0/24 _updown also added a route to 10.0.13.71.

When sending traffic to 10.0.13.71 from the 172.16.42.0/24 I see indeed
ESP traffic to the host but the host never answers because the address of
the unpacked packets is 10.0.13.71 and not 10.80.6.2.

I tried to set the policy by hand and it looks ok but does not work. Can
anyone shed some light on how openswan/netkey handles routing and how to
get this setup going?

Thnx.


-- 
Try to relax and enjoy the crisis.
                -- Ashleigh Brilliant

Jacco Kok


More information about the Users mailing list