[Openswan Users] Revisting old routing problem. Passthrough conns only creating "dir out" policies.
Michael H. Warfield
mhw at WittsEnd.com
Sun May 10 19:20:13 EDT 2009
I've poked at this problem for ages and never really got it to work.
Perusing the forums, seems this has come up of and on but none of the
suggestions worked for me until I spotted one earlier today.
Configuration: An extruded subnet with a default route out through the
VPN. Actually two non-contiguous extruded subnets behind the same
Problem: Neither subnet can communicate with the gateway but they do
communicate through the gateway.
|---G---- [VPN] --- IGateway --- Net
In the connections on G
A can not ping or contact G or B
B can not ping or contact G or A
A, B, and G can all communication with hosts out on the net out through
If, on G, I do a traceroute to an address on A, the next hop is the
Internet Gateway, IGateway, going on the wrong direction, so, of course,
I tried the suggestions for passthrough connections, which made sense.
All were unsuccessful. Each time I tried this before I'd usually just
give up and forget about it for a long time. Tried again just recently
with 2.6.21 on kernel 2.6.27 (netkey) and still had the problem.
A little more research I finally stumbled onto a message with almost my
exact same configuration and exact same problem here:
His workaround fixed my problems. I also saw several comments in other
messages about OpenSWAN only creating the "dir out" policy and not
creating the "dir in" or "dir fwd" policies on passthrough connections.
Sure enough, just bring up the A connection and verifying that a ping
was NOT working from A to G I executed the two ip policy commands, one
for out and then for in. Just having the out policy did not work. As
soon as the in policy was added, it was immediately working (the other
in/out/fwd policies are needed for the A-B cases). I also looked and,
sure enough, OpenSWAN is only creating the "dir out" policy for the
This is even sitting in the OpenSWAN bugzilla here from a year ago:
If I add a passthrough conn for rightsubnet=A/19 and leftsubnet=A/19
and bring it up (--route) the "dir out" is in the policy table but
there's not "dir in" in the policy table. Add the matching "dir in" and
it starts working.
Now, of course, where rightsubnet != leftsubnet, then you need to add 2
"dir in", 2 "dir out", and 2 "dir fwd" policies as well.
This is definitely a problem and I can confirm this on 2.6.21/K2.6.27
netkey confirming both the original posters message and confirming the
bug report in bugzilla.
Question is, what is it suppose to do or what are we suppose to do to
make this work, if it's not a bug, or can we get this bug in bugzilla
No, I have not looked at 22dr1 but I see nothing in the bugzilla entry
to make me think it's even been looked at.
After reading an earlier recent message about some policy stuff and the
location of the netlink code, I'm looking at
programs/pluto/kernel_netlink.c, particularly in the netlink_raw_eroute
function but nothing is standing out to me and it would seem to be in
something that calls that function.
I should have dug deeper into this a long time ago.
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20090510/53b6f32b/attachment.bin
More information about the Users