[Openswan Users] Hub and spoke routing issue when using Openswan

Mattias Mattsson mm4748190 at gmail.com
Tue Feb 10 12:54:09 EST 2009


Thanks for your answer.

I do use klips and not netkey for the Openswan box:
# ipsec --version
Linux Openswan 2.6.18 (klips)
See `ipsec --copyright' for copyright information.
# ipsec auto --status
000 using kernel interface: klips
000 interface ipsec0/eth1

Also, in my example, all the protected networks are in different subnets
that are not sub-nets of each other. I just chose 172.16.x.x addresses to
make the setup more bearable.

Since the hub has, spoke1 has, and spoke2 has, I don't think it is a problem with longest prefix. I could
have used for the hub, for spoke1 and for spoke2 and have the same problem.

Thanks / Mattias

On Tue, Feb 10, 2009 at 9:05 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 10 Feb 2009, Mattias Mattsson wrote:
>  I'm having a problem when trying to upgrade from FreeS/WAN 1.99 to
>> Openswan 2.6.18 (klips).
>> The setup is a hub and spoke VPN where two spoke sites (B and C) are
>> connecting into the hub site (A).
>> The protected subnets are all different (i.e. this is not an 'extruded
>> subnet' setup) and eroutes are
>> used to route from B to C and vice versa.
>  This works fine when using Freeswan, but when using Openswan for the hub,
>> the Hub does not even accept
>> the incoming traffic from the spoke, i.e. if I do a tcpdump on ipsec0 I do
>> not see the incoming traffic.
> this is a KLIPS vs NETKEY issue. You are likely using netkey. You can
> either
> switch to KLIPS, or you can add "conn passthrough" connections that excempt
> the local subnet from the hub-spoke tunnel.
> KLIPS does longest prefix matching, so overrides
> NETKEY does not do that, so a <-> tunnel causes ALL
> traffic, including to be send over the tunnel, unless
> excempted
> by a passthrough conn.
> You should be able to find passthrough examples in /etc/ipsec.d/examples/
> or
> in the mailing list archives.
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090210/28912fe5/attachment.html 

More information about the Users mailing list