[Openswan Users] openswan weird ip routing issue

Michael H. Warfield mhw at WittsEnd.com
Tue Feb 16 14:32:47 EST 2010

On Tue, 2010-02-16 at 11:31 -0700, Randy Wyatt wrote: 
> <snip>
> For your example, you'll need something like this:
> conn local-0
>         authby=never
>         rightsubnet=
>         rightrsasigkey=%none
>         left=
>         leftsubnet=
>         leftrsasigkey=%none
>         type=passthrough
>         auto=route
> Not sure if all that's necessary but you need a type=passthrough and an
> auto=route for your local subnet.  It's a netkey thing.
> </snip>

> Why would I need to define a rightsubnet for a local bypass?

It looks weird but it's buried in the technical details of how the
security associations are set up with Netkey.  I forget what version
Paul integrated my patch into for this but it was broken for a while.
Recently releases all have it fixed.  That's the only way I've been able
to get it to work.

Crud...  I missed this...  Just went back and checked the list archives
and Paul integrated my patch into 2.6.23.  In your original message I
saw this:

> > > The version of openswan under use is U2.6.22/K2.6.25.07 .

Not good.  I failed to notice the 2.6.22.  My apologies.  You'll also
need to try a more recent version.

> Unfortunately, this doesn't seem to make a difference, The only entry we
> get in the logs are:

You might have to also specify right=  Somehow I missed
copying that line in.

> Ipsec__plutonrun: right do something with host case: 0
> I can see the following policies listed with (ip xfrm policy)
> Src dst
> 	Dir in priority 2368
> 	Tmpl src 216.188.XXX.YYY dst 32.XXX.YYY.ZZZ
> 		Proto esp reqid 16385 mode tunnel
> Src dst
> 	Dir out priority 2344
> Src dst
> 	Dir out priority 2368
> 	Tmpl src 32.XXX.YYY.ZZZ dst 216.188.XXX.YYY
> 		Proto esp reqid 16385 mod tunnel
> Src dst
> 	Dir fwd priority 2368
> 	Tmpl src 216.188.XXX.YYY dst 32.XXX.YYY.ZZZ
> 		Proto esp reqid 16385 mode tunnel

You should have three entries that look something like this:

src dst 
        dir fwd priority 2349 ptype main 
src dst  
        dir in priority 2349 ptype main 
src dst  
        dir out priority 2504 ptype main 

Those are the key.  You have to have all three, an "in", an "out" and a
"fwd".  With your version of OpenSWAN, you'll probably only see the one
entry (in I think).  You can add them by hand if you want to test it.
That's what I was doing with I was debugging the problem.

> Regards,
> Randy

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20100216/81beb43b/attachment-0001.bin 

More information about the Users mailing list