[Openswan Users] Hub and spoke routing issue when using Openswan

Mattias Mattsson mm4748190 at gmail.com
Tue Feb 10 12:54:09 EST 2009


Paul,

Thanks for your answer.

I do use klips and not netkey for the Openswan box:
# ipsec --version
Linux Openswan 2.6.18 (klips)
See `ipsec --copyright' for copyright information.
# ipsec auto --status
000 using kernel interface: klips
000 interface ipsec0/eth1 192.168.1.50
...

Also, in my example, all the protected networks are in different subnets
that are not sub-nets of each other. I just chose 172.16.x.x addresses to
make the setup more bearable.

Since the hub has 172.16.50.0/24, spoke1 has 172.16.40.0/24, and spoke2 has
172.16.20.0/24, I don't think it is a problem with longest prefix. I could
have used 10.10.10.0/24 for the hub, 172.16.1.0/24 for spoke1 and
192.168.1.0/24 for spoke2 and have the same problem.

Thanks / Mattias


On Tue, Feb 10, 2009 at 9:05 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 10 Feb 2009, Mattias Mattsson wrote:
>
>  I'm having a problem when trying to upgrade from FreeS/WAN 1.99 to
>> Openswan 2.6.18 (klips).
>>
>> The setup is a hub and spoke VPN where two spoke sites (B and C) are
>> connecting into the hub site (A).
>> The protected subnets are all different (i.e. this is not an 'extruded
>> subnet' setup) and eroutes are
>> used to route from B to C and vice versa.
>>
>
>  This works fine when using Freeswan, but when using Openswan for the hub,
>> the Hub does not even accept
>> the incoming traffic from the spoke, i.e. if I do a tcpdump on ipsec0 I do
>> not see the incoming traffic.
>>
>
> this is a KLIPS vs NETKEY issue. You are likely using netkey. You can
> either
> switch to KLIPS, or you can add "conn passthrough" connections that excempt
> the local subnet from the hub-spoke tunnel.
>
> KLIPS does longest prefix matching, so 10.0.1.0/24 overrides 10.0.0.0/8.
> NETKEY does not do that, so a 10.0.1.0/24 <-> 10.0.0.0/8 tunnel causes ALL
> traffic, including 10.0.1.0/24 to be send over the tunnel, unless
> excempted
> by a passthrough conn.
>
> You should be able to find passthrough examples in /etc/ipsec.d/examples/
> or
> in the mailing list archives.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090210/28912fe5/attachment.html 


More information about the Users mailing list