[Openswan Users] Revisting old routing problem. Passthrough conns only creating "dir out" policies.

Paul Wouters paul at xelerance.com
Mon May 11 09:21:08 EDT 2009


On Sun, 10 May 2009, Michael H. Warfield wrote:

> 	I tried the suggestions for passthrough connections, which made sense.
> All were unsuccessful.  Each time I tried this before I'd usually just
> give up and forget about it for a long time.  Tried again just recently
> with 2.6.21 on kernel 2.6.27 (netkey) and still had the problem.
>
> 	A little more research I finally stumbled onto a message with almost my
> exact same configuration and exact same problem here:
>
> 	http://lists.openswan.org/pipermail/users/2007-April/012298.html
>
> 	His workaround fixed my problems.  I also saw several comments in other
> messages about OpenSWAN only creating the "dir out" policy and not
> creating the "dir in" or "dir fwd" policies on passthrough connections.

But the problem here is that I am not convinced of the workaround mentioned there:

# used to get traffic passed from subnet1 to subnet2 and reverse
  ip xfrm policy add dir in src subnet1 dst subnet2
  ip xfrm policy add dir out src subnet1 dst subnet2
  ip xfrm policy add dir in src subnet2 dst subnet1
  ip xfrm policy add dir out src subnet2 dst subnet1
  ip xfrm policy add dir fwd src subnet1 dst subnet2
  ip xfrm policy add dir fwd src subnet2 dst subnet1

The problem here is that these policies list no SPI on which they
apply. I believe that means now that any IPsec SA can send traffic
with that src/dst combination, and it will be accepted by the kernel.

The original klips passthrough routes, since they were route based, could
only work for the local machine itself. Perhaps Herbert can tell us more
about how this would apply safely on netkey?

> 	This is even sitting in the OpenSWAN bugzilla here from a year ago:
>
> 	http://bugs.xelerance.com/view.php?id=907
>
> 	If I add a passthrough conn for rightsubnet=A/19 and leftsubnet=A/19
> and bring it up (--route) the "dir out" is in the policy table but
> there's not "dir in" in the policy table.  Add the matching "dir in" and
> it starts working.

> 	Question is, what is it suppose to do or what are we suppose to do to
> make this work, if it's not a bug, or can we get this bug in bugzilla
> addressed?

I am not sure what the best way is, or whether there is a better way, when
using NETKEY.

Paul


More information about the Users mailing list