[Openswan Users] Revisting old routing problem. Passthrough conns only creating "dir out" policies.

Paul Wouters paul at xelerance.com
Fri Jun 26 15:00:34 EDT 2009


On Mon, 11 May 2009, Michael H. Warfield wrote:

> 	I haven't tested 2.6.22dr1 of yet but I have generated a patch file
> against it patching netlink_shunt_eroute for this problem.  It's
> basically my earlier suggested patch (with one stupid typo fix from
> merging two changes) and rebased to 2.6.22dr1 to compensate for an
> offset.  This time attached as a file if you choose to use it.  I've
> built Fedora 10 rpm's with the 2.6.21 flavor of this patch and it's
> running on the impacted gateway now.

This patch just saved me in a support call where a customer ran into
an issue where a passthrough route was needed. I've applied it to the
git tree, and it will be in 2.6.23 :)

Thanks for your work on tracing this issue!

I am still thinking there should be a builtin fix for this though.

Perhaps, if we are on netkey, and we notice that leftsubnet (eg
10.0.1.0/24) falls within rightsubnet (eg 10.0.0.0/8) or visa versa,
we should automatically add the proper passthrough route to avoid the
stupid NETKEY "feature" of routing our LAN via the IPsec tunnel.

The proper passthrough conn in that case being:

conn netkeybug
 	left=10.0.1.1
 	leftsubnet=10.0.1.0/24
 	right=0.0.0.0
 	rightsubnet=10.0.1.0/24
 	authby=never
 	type=passthrough
 	auto=route

I've added this documentation in a new example called hub-spoke.conf that
is installed in /etc/ipsec.d/examples/ from openswan 2.6.23 onwards.

Paul


More information about the Users mailing list