[Openswan Users] openswan weird ip routing issue

Michael H. Warfield mhw at WittsEnd.com
Tue Feb 16 13:01:15 EST 2010


On Tue, 2010-02-16 at 10:34 -0700, Randy Wyatt wrote: 
> The version of openswan under use is U2.6.22/K2.6.25.07 .

> The client gateway has the following configuration: 
> 
> Problem Statement:

>             1.) Unable to ping host on leftsubnet from left gateway
> when rightsubnet is set to 0.0.0.0/0

> Configuration of left gateway:
 
> config setup
> 
>             nat_traversal=yes
> 
>             virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%
> v4:172.16.0.0/12
> 
>             protostack=netkey

You need a bypass conn for your local subnet. 
> 
> conn ipsec-auto-psk
> 
>             authby=secret
> 
>             type=tunnel
> 
>             left=%defaultroute
> 
>             leftsubnet=192.168.1.0/24
> 
>             leftid=@nvtl.mifi.local
> 
>             leftsourceip=192.168.1.1
> 
>             right=216.188.XXX.YYY
> 
>             rightsubnet=0.0.0.0/0
> 
>             rightid=@dolphins.devnet.nvtl.local
> 
>             ike=3des-sha1
> 
>             phase2=esp
> 
>             phase2alg=3des-sha1;modp1024
> 
>             rekey=no
> 
>             auto=add
> 

> So for example,  We are not able to ping 192.168.1.10 from 192.168.1.1
> when the IPSEC SA is up.   

For your example, you'll need something like this:

conn local-0
        authby=never
        rightsubnet=192.168.1.0/24
        rightrsasigkey=%none
        left=192.168.1.1
        leftsubnet=192.168.1.0/24
        leftrsasigkey=%none
        type=passthrough
        auto=route

Not sure if all that's necessary but you need a type=passthrough and an
auto=route for your local subnet.  It's a netkey thing.

> If we “ipsec auto –down ipsec-auto-psk”, we still have not resumed
> connectivity.  We don’t get connectivity back until
> we /etc/rc.d/init.d/ipsec stop.
> 
>  
> 
> Regards,
> 
> Randy


Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20100216/05186833/attachment.bin 


More information about the Users mailing list