[Openswan Users] Extruded subnet (revisited yet again).
Michael H. Warfield
mhw at WittsEnd.com
Sat Jan 24 13:13:12 EST 2009
Ok... I've been trying to solve this for ages and I've really wanted
to figure this out on my own but I haven't. I see in the archives this
has been kicked around from time to time but I can't find a definitive
answer (and old old hints in some other forums imply that there wasn't
one at the time but patches were "on the way").
I'm trying to set up an extruded subnet as follows:
22.214.171.124/19 --126.96.36.199 PubIP===PubIp
The subnet behind Gate1 is a nice large /19 (it's a research network).
I've extruded that /19 from the /18 that Gate2 resides on. The extruded
tunnel is basically 188.8.131.52/19 <=> 0.0.0.0/0.
In the main conn:
The extruded tunnel itself works. That is, anything from the internet
can reach Gate1 on it's local extruded address (184.108.40.206) and
anything on the other side of Gate1 in that entire /19 (like
220.127.116.11). But... Gate1 can not communicate with any of the
hosts behind it (18.104.22.168 on Gate1 can not ping 22.214.171.124 on
that subnet). The reason is pretty obvious. The conn for
126.96.36.199/19 <=> 0.0.0.0 is catching packets 188.8.131.52 <=>
184.108.40.206/19 and sending up the tunnel, which is wrong, instead of
routing them out their appropriate local interfaces. I'm trying to fix
I've seen Paul's posting to this list from several years ago describing
this exact scenario and using a "type=bypass" conn to fix it. But that
doesn't seem to work for me. It appears that posting related to using
klips? I'm using netkey. If I try Paul's example, it gives me an error
saying the route is already in use by "foo" (where foo is the conn for
the extruded subnet) and refuses to do it. If I install demi-route
connections (0.0.0.0/1 and 220.127.116.11/1) in two conns it will then
install them but it does not fix the problem and it does break the
extruded tunnel, sigh...
I've seen some hints in some other postings in some other forums that
the answer is in using setkey or "ip xfrm policy" to set appropriate
transform policies, but I have yet to get that to work and the
documentation on that functionality is sparse to the point of being
abysmal I have found NO documentation on the "ip xfrm" functionality
outside of the man pages, which are basically syntax only. I couldn't
even determine from the man pages how priority works (is higher better
or is it more like nice) and what is the order of precedence (ordinally
by index or by matching prefix or what). The setkey information looked
like it should work (setting the policy to none and I tried various
priorities) but that didn't work either (but, at least, it didn't BREAK
I've also see some hints that this could be somehow related to
netfilter+ipsec stuff but those are also old postings and seems to be a
dead end to me.
So... Before I go spamming the entire list with configuations and
policy dumps and what not, has anyone gotten this to work with netkey or
have a hint what else to try? Not merely the extruded subnet. That
works for me. But getting their local gateway to talk with the rest of
its subnet behind it. It's just that one corner case that's driving me
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20090124/15c03639/attachment.bin
More information about the Users