[Openswan Users] openswan weird ip routing issue

Michael H. Warfield mhw at WittsEnd.com
Tue Feb 16 14:32:47 EST 2010 

On Tue, 2010-02-16 at 11:31 -0700, Randy Wyatt wrote: 
> 
> <snip>
> For your example, you'll need something like this:
> 
> conn local-0
>         authby=never
>         rightsubnet=192.168.1.0/24
>         rightrsasigkey=%none
>         left=192.168.1.1
>         leftsubnet=192.168.1.0/24
>         leftrsasigkey=%none
>         type=passthrough
>         auto=route
> 
> Not sure if all that's necessary but you need a type=passthrough and an
> auto=route for your local subnet.  It's a netkey thing.
> 
> </snip>

> Why would I need to define a rightsubnet for a local bypass?

It looks weird but it's buried in the technical details of how the
security associations are set up with Netkey.  I forget what version
Paul integrated my patch into for this but it was broken for a while.
Recently releases all have it fixed.  That's the only way I've been able
to get it to work.

Crud...  I missed this...  Just went back and checked the list archives
and Paul integrated my patch into 2.6.23.  In your original message I
saw this:

> > > The version of openswan under use is U2.6.22/K2.6.25.07 .

Not good.  I failed to notice the 2.6.22.  My apologies.  You'll also
need to try a more recent version.

> Unfortunately, this doesn't seem to make a difference, The only entry we
> get in the logs are:

You might have to also specify right=192.168.1.1.  Somehow I missed
copying that line in.

> Ipsec__plutonrun: right do something with host case: 0
> 
> I can see the following policies listed with (ip xfrm policy)
> 
> Src 0.0.0.0/0 dst 192.168.1.0/24
> 	Dir in priority 2368
> 	Tmpl src 216.188.XXX.YYY dst 32.XXX.YYY.ZZZ
> 		Proto esp reqid 16385 mode tunnel
> 
> Src 192.168.1.0/24 dst 192.168.1.0/24
> 	Dir out priority 2344
> 
> Src 192.168.1.0/24 dst 0.0.0.0/0
> 	Dir out priority 2368
> 	Tmpl src 32.XXX.YYY.ZZZ dst 216.188.XXX.YYY
> 		Proto esp reqid 16385 mod tunnel
> 
> Src 192.168.1.0/24 dst 192.168.1.0/24
> 	Dir fwd priority 2368
> 	Tmpl src 216.188.XXX.YYY dst 32.XXX.YYY.ZZZ
> 		Proto esp reqid 16385 mode tunnel
> 

You should have three entries that look something like this:

src 192.168.1.0/24 dst 192.168.1.0/24 
        dir fwd priority 2349 ptype main 
src 192.168.1.0/24 dst 192.168.1.0/24  
        dir in priority 2349 ptype main 
src 192.168.1.0/24 dst 192.168.1.0/24  
        dir out priority 2504 ptype main 

Those are the key.  You have to have all three, an "in", an "out" and a
"fwd".  With your version of OpenSWAN, you'll probably only see the one
entry (in I think).  You can add them by hand if you want to test it.
That's what I was doing with I was debugging the problem.

> Regards,
> Randy

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20100216/81beb43b/attachment-0001.bin

More information about the Users mailing list