[Openswan Users] sanity check: alias address, firewall, klips address problem
Neal Murphy
neal.p.murphy at alum.wpi.edu
Fri Dec 3 19:50:18 EST 2010
On Thursday 02 December 2010 02:49:28 Neal Murphy wrote:
> However, if I add public IP address 192.168.1.239 to right's public NIC
> aliased to 10.20.30.10 before any traffic flows, strange things happen. For
> example if I 'ping 192.168.50.200' from 10.20.30.10, IPSEC sends the
> packets from 192.168.1.239. When I change .10's address to something else,
> the problem persists. When I delete the alias, the problem
> persists. 'Iptables-save' shows no sign of the alias address. Yet it
> persists. IPSEC seems to use the first address it sees and never seems to
> change it after that.
Well, we found the problem. (Again, using plain KLIPS with OS 2.6.29.)
Aliases (one-to-one, I think) are being created with (for example)
iptables -t nat -D portfw_post -o eth1 -m mark \
--mark 0x80100000 -j SNAT --to-source 200.0.0.3
Changing it to:
iptables -t nat -I portfw_post -o eth1 -s 192.168.50.200 -m mark \
--mark 0x80100000 -j SNAT --to-source 200.0.0.3
That fixed the problem.
Suppose eth1 has 200.0.0.2/24 as its primary address and 200.0.0.3/32 is added
as another address, on eth1:1. (In fact, I believe it would break even if
200.0.0.3/24 were added as a secondary address to eth1.) What would cause
openswan/IPSEC to use the alias address instead of the primary? Clearly,
failing to set the source address in the iptables rule caused the problem.
But why?
N
More information about the Users
mailing list