[Openswan Users] R: R: R: Multiple interfaces ipsec/l2tp vpn openswan 2.6.26 [SOLVED]

Federico Viel fviel at bellunum.com
Thu Jul 1 08:55:50 EDT 2010




>Paul Wouters wrote:
>> On Tue, 29 Jun 2010, Federico Viel wrote:
>> 
>>> This is(was) the problem
>> 
>> I'll wait on Tuomo's comments here. He knows this magic best....
>> 
>> Paul
>> 
>>>
>>> On
>>> /usr/lib/ipsec/_updown.netkey
>>> .....
>>> 1    # old: route via pluto_interface
>>> 2    # parms2="$parms2 dev ${PLUTO_INTERFACE%:*} $IPROUTEARGS"
>>> 3
>>> 4    # new: route via proper interface according to routing table
>>> 5    if [ "$1" = "del" ]; then
>>> 6       PLUTO_PEER_INTERFACE=`ip -o route get $PLUTO_PEER_CLIENT | sed
>>> "s/^.*de$
>>> 7    else
>>> 8       PLUTO_PEER_INTERFACE=`ip -o route get $PLUTO_PEER | sed
"s/^.*dev
>>> \([^ $
>>> 9    fi
>>> 10   if [ -z "$PLUTO_PEER_INTERFACE" ]; then
>>> 11        PLUTO_PEER_INTERFACE=$PLUTO_INTERFACE
>>> 12    fi
>>> 13    parms2="$parms2 dev ${PLUTO_PEER_INTERFACE%:*} $IPROUTEARGS"
>>> ...
>>>
>>>
>>> Commenting lines 5,6,7,8,9 solved the problem.
>>>
>>>
>>>
>>> Maybe this is a "issue" to fix? (in openswan 2.4.6 _updown script works
>>> fine)
>>>
>>> The question now is: Why net2net connections work without this patch?
>>> Thank you.
>>>

>This was a change which was done to force route via correct interface.
>That means your routig configuration is not correct if this doesn't
>work. Routing should always point to same interface packet arrived from.
>I use shorewall based multi-isp setup and this works ok there, Shorewall
>das packet marking trickery to make sure route out is via same interface
>initial contact was from.
>
>--
Ehmmm... I don't know... but as I stated on IPSEC (only) net2net VPNS the
script works fine as well.
Hence why not on ipsec/l2tp road warrior VPN? This is the issue!

The only routing difference between the 2 connection-types is that the
right(left) part is specified on net2net conn whereas in l2tp/ipsec
roadwarrior conn is not.
Could this affect the script correctness?

Thank you
FV




More information about the Users mailing list