[Openswan Users] sanity check: alias address, firewall, klips address problem

Neal Murphy neal.p.murphy at alum.wpi.edu
Fri Dec 3 19:50:18 EST 2010

On Thursday 02 December 2010 02:49:28 Neal Murphy wrote:
> However, if I add public IP address to right's public NIC
> aliased to before any traffic flows, strange things happen. For
> example if I 'ping' from, IPSEC sends the
> packets from When I change .10's address to something else,
> the problem persists. When I delete the alias, the problem
> persists. 'Iptables-save' shows no sign of the alias address. Yet it
> persists. IPSEC seems to use the first address it sees and never seems to
> change it after that.

Well, we found the problem. (Again, using plain KLIPS with OS 2.6.29.)

Aliases (one-to-one, I think) are being created with (for example)
  iptables -t nat -D portfw_post -o eth1 -m mark \
    --mark 0x80100000 -j SNAT --to-source

Changing it to:
  iptables -t nat -I portfw_post -o eth1 -s -m mark \
    --mark 0x80100000 -j SNAT --to-source

That fixed the problem.

Suppose eth1 has as its primary address and is added 
as another address, on eth1:1. (In fact, I believe it would break even if were added as a secondary address to eth1.) What would cause 
openswan/IPSEC to use the alias address instead of the primary? Clearly, 
failing to set the source address in the iptables rule caused the problem. 
But why?


More information about the Users mailing list