[Openswan Users] Extruded subnet (revisited yet again).

Michael H. Warfield mhw at WittsEnd.com
Sat Jan 24 13:13:12 EST 2009

Hey all,

	Ok...  I've been trying to solve this for ages and I've really wanted
to figure this out on my own but I haven't.  I see in the archives this
has been kicked around from time to time but I can't find a definitive
answer (and old old hints in some other forums imply that there wasn't
one at the time but patches were "on the way").

	I'm trying to set up an extruded subnet as follows:

	Subnet-----------------------Gate1======Gate2----Internet --  PubIP===PubIp

	The subnet behind Gate1 is a nice large /19 (it's a research network).
I've extruded that /19 from the /18 that Gate2 resides on.  The extruded
tunnel is basically <=>

	In the main conn:


	The extruded tunnel itself works.  That is, anything from the internet
can reach Gate1 on it's local extruded address ( and
anything on the other side of Gate1 in that entire /19 (like  But...  Gate1 can not communicate with any of the
hosts behind it ( on Gate1 can not ping on
that subnet).  The reason is pretty obvious.  The conn for <=> is catching packets <=> and sending up the tunnel, which is wrong, instead of
routing them out their appropriate local interfaces.  I'm trying to fix

	I've seen Paul's posting to this list from several years ago describing
this exact scenario and using a "type=bypass" conn to fix it.  But that
doesn't seem to work for me.  It appears that posting related to using
klips?  I'm using netkey.  If I try Paul's example, it gives me an error
saying the route is already in use by "foo" (where foo is the conn for
the extruded subnet) and refuses to do it.  If I install demi-route
connections ( and in two conns it will then
install them but it does not fix the problem and it does break the
extruded tunnel, sigh...

	I've seen some hints in some other postings in some other forums that
the answer is in using setkey or "ip xfrm policy" to set appropriate
transform policies, but I have yet to get that to work and the
documentation on that functionality is sparse to the point of being
abysmal  I have found NO documentation on the "ip xfrm" functionality
outside of the man pages, which are basically syntax only.  I couldn't
even determine from the man pages how priority works (is higher better
or is it more like nice) and what is the order of precedence (ordinally
by index or by matching prefix or what).  The setkey information looked
like it should work (setting the policy to none and I tried various
priorities) but that didn't work either (but, at least, it didn't BREAK
the tunnel).

	I've also see some hints that this could be somehow related to
netfilter+ipsec stuff but those are also old postings and seems to be a
dead end to me.

	So...  Before I go spamming the entire list with configuations and
policy dumps and what not, has anyone gotten this to work with netkey or
have a hint what else to try?  Not merely the extruded subnet.  That
works for me.  But getting their local gateway to talk with the rest of
its subnet behind it.  It's just that one corner case that's driving me

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20090124/15c03639/attachment.bin 

More information about the Users mailing list