[Openswan Users] sanity check: alias address, firewall, klips address problem
neal.p.murphy at alum.wpi.edu
Thu Dec 2 02:49:28 EST 2010
Got another problem with Smoothwall. It happens with both
openswan-2.4.15/linux-2.6.16 and openswan-2.6.29/linux-2.6.32, so I'm
thinking it's not an IPSEC problem.
192.168.50.200 - (left) 192.168.50.1/24 - 192.168.1.3/24 == 192.168.1.2/24 -
10.20.30.1/24 (right) - 10.20.30.10.
KLIPS VPN is up between two smoothies. It works great. As long as traffic
flows across the tunnel before an alias is added, all is well.
However, if I add public IP address 192.168.1.239 to right's public NIC
aliased to 10.20.30.10 before any traffic flows, strange things happen. For
example if I 'ping 192.168.50.200' from 10.20.30.10, IPSEC sends the packets
from 192.168.1.239. When I change .10's address to something else, the
problem persists. When I delete the alias, the problem
persists. 'Iptables-save' shows no sign of the alias address. Yet it
persists. IPSEC seems to use the first address it sees and never seems to
change it after that.
Using 'leftsourceip=192.168.1.3' does set the source addr in the routing
table, but doesn't change the behaviour.
A reboot cures the anomaly. Removing and restoring all of the TC-, NF- and
IPSEC-related modules seems to fix it. I'm not sure if waiting some period of
time (waiting for a long timeout) fixes it.
I don't think it's related to openswan, except that it seems only outbound ESP
packets are affected.
So, a few questions:
1. Has anyone every encountered such behaviour before?
2. There's a lot of ground to cover. Any ideas where I should focus to
track it down?
2. Is it more likely to be an iptables problem, or openswan?
More information about the Users