[Openswan Users] sanity check: alias address, firewall, klips address problem

Neal Murphy neal.p.murphy at alum.wpi.edu
Thu Dec 2 02:49:28 EST 2010


Got another problem with Smoothwall. It happens with both 
openswan-2.4.15/linux-2.6.16 and openswan-2.6.29/linux-2.6.32, so I'm 
thinking it's not an IPSEC problem. - (left) - == - (right) -

KLIPS VPN is up between two smoothies. It works great. As long as traffic 
flows across the tunnel before an alias is added, all is well.

However, if I add public IP address to right's public NIC 
aliased to before any traffic flows, strange things happen. For 
example if I 'ping' from, IPSEC sends the packets 
from When I change .10's address to something else, the 
problem persists. When I delete the alias, the problem 
persists. 'Iptables-save' shows no sign of the alias address. Yet it 
persists. IPSEC seems to use the first address it sees and never seems to 
change it after that.

Using 'leftsourceip=' does set the source addr in the routing 
table, but doesn't change the behaviour.

A reboot cures the anomaly. Removing and restoring all of the TC-, NF- and 
IPSEC-related modules seems to fix it. I'm not sure if waiting some period of 
time (waiting for a long timeout) fixes it.

I don't think it's related to openswan, except that it seems only outbound ESP 
packets are affected.

So, a few questions:
  1. Has anyone every encountered such behaviour before?
  2. There's a lot of ground to cover. Any ideas where I should focus to
     track it down?
  2. Is it more likely to be an iptables problem, or openswan?


More information about the Users mailing list