[Openswan Users] Hub and spoke routing issue when using Openswan
Paul Wouters
paul at xelerance.com
Tue Feb 10 12:05:15 EST 2009
On Tue, 10 Feb 2009, Mattias Mattsson wrote:
> I'm having a problem when trying to upgrade from FreeS/WAN 1.99 to Openswan 2.6.18 (klips).
>
> The setup is a hub and spoke VPN where two spoke sites (B and C) are connecting into the hub site (A).
> The protected subnets are all different (i.e. this is not an 'extruded subnet' setup) and eroutes are
> used to route from B to C and vice versa.
> This works fine when using Freeswan, but when using Openswan for the hub, the Hub does not even accept
> the incoming traffic from the spoke, i.e. if I do a tcpdump on ipsec0 I do not see the incoming traffic.
this is a KLIPS vs NETKEY issue. You are likely using netkey. You can either
switch to KLIPS, or you can add "conn passthrough" connections that excempt
the local subnet from the hub-spoke tunnel.
KLIPS does longest prefix matching, so 10.0.1.0/24 overrides 10.0.0.0/8.
NETKEY does not do that, so a 10.0.1.0/24 <-> 10.0.0.0/8 tunnel causes ALL
traffic, including 10.0.1.0/24 to be send over the tunnel, unless excempted
by a passthrough conn.
You should be able to find passthrough examples in /etc/ipsec.d/examples/ or
in the mailing list archives.
Paul
More information about the Users
mailing list