[Openswan Users] openswan weird ip routing issue

Randy Wyatt rwyatt at nvtl.com
Mon Mar 1 19:24:01 EST 2010 

We have upgraded to 2.6.24, but are still faced with the same issue.  We
are unable to pass local traffic on the subnet when the
rightsubnet=0.0.0.0/0

Here is the config

#< /etc/ipsec.conf 1
version 2.0

config setup
	nat_traversal=yes
	protostack=netkey

conn local 
	authby=never
	type=passthrough
	leftsubnet=192.168.1.0/24
	left=192.168.1.1
	right=192.168.1.1
	rightsubnet=192.168.1.0/24
	auto=route

conn ipsec-auto-psk
	authby=secret
	type=tunnel
	left=%defaultroute
	leftsubnet=192.168.1.0/24
	leftid=@nvtl.mifi.local
	leftsourceip=192.168.1.1
	right=216.188.XXX.YYY
	rightsubnet=0.0.0.0/0
	rightid=@asa100-nvtl-local
	ike=3des-sha1
	phase2=esp
	phase2alg=3des-sha1;modp1024
	pfs=yes
	rekey=no
	auto=add

And here are the ipsec policies:
# cat policies.txt
src 0.0.0.0/0 dst 192.168.1.0/24 
	dir in priority 2368 
	tmpl src 216.188.66.59 dst 166.129.247.23
		proto esp reqid 16389 mode tunnel
src 192.168.1.0/24 dst 0.0.0.0/0 
	dir out priority 2368 
	tmpl src 166.129.247.23 dst 216.188.66.59
		proto esp reqid 16389 mode tunnel
src 0.0.0.0/0 dst 192.168.1.0/24 
	dir fwd priority 2368 
	tmpl src 216.188.66.59 dst 166.129.247.23
		proto esp reqid 16389 mode tunnel

All help is appreciated.

Regards,
Randy
------Message-----
From: Michael H. Warfield [mailto:mhw at WittsEnd.com] 
Sent: Tuesday, February 16, 2010 11:33 AM
To: Randy Wyatt
Cc: mhw at WittsEnd.com; users at openswan.org
Subject: Re: [Openswan Users] openswan weird ip routing issue

On Tue, 2010-02-16 at 11:31 -0700, Randy Wyatt wrote: 
> 
> <snip>
> For your example, you'll need something like this:
> 
> conn local-0
>         authby=never
>         rightsubnet=192.168.1.0/24
>         rightrsasigkey=%none
>         left=192.168.1.1
>         leftsubnet=192.168.1.0/24
>         leftrsasigkey=%none
>         type=passthrough
>         auto=route
> 
> Not sure if all that's necessary but you need a type=passthrough and
an
> auto=route for your local subnet.  It's a netkey thing.
> 
> </snip>

> Why would I need to define a rightsubnet for a local bypass?

It looks weird but it's buried in the technical details of how the
security associations are set up with Netkey.  I forget what version
Paul integrated my patch into for this but it was broken for a while.
Recently releases all have it fixed.  That's the only way I've been able
to get it to work.

Crud...  I missed this...  Just went back and checked the list archives
and Paul integrated my patch into 2.6.23.  In your original message I
saw this:

> > > The version of openswan under use is U2.6.22/K2.6.25.07 .

Not good.  I failed to notice the 2.6.22.  My apologies.  You'll also
need to try a more recent version.

> Unfortunately, this doesn't seem to make a difference, The only entry
we
> get in the logs are:

You might have to also specify right=192.168.1.1.  Somehow I missed
copying that line in.

> Ipsec__plutonrun: right do something with host case: 0
> 
> I can see the following policies listed with (ip xfrm policy)
> 
> Src 0.0.0.0/0 dst 192.168.1.0/24
> 	Dir in priority 2368
> 	Tmpl src 216.188.XXX.YYY dst 32.XXX.YYY.ZZZ
> 		Proto esp reqid 16385 mode tunnel
> 
> Src 192.168.1.0/24 dst 192.168.1.0/24
> 	Dir out priority 2344
> 
> Src 192.168.1.0/24 dst 0.0.0.0/0
> 	Dir out priority 2368
> 	Tmpl src 32.XXX.YYY.ZZZ dst 216.188.XXX.YYY
> 		Proto esp reqid 16385 mod tunnel
> 
> Src 192.168.1.0/24 dst 192.168.1.0/24
> 	Dir fwd priority 2368
> 	Tmpl src 216.188.XXX.YYY dst 32.XXX.YYY.ZZZ
> 		Proto esp reqid 16385 mode tunnel
> 

You should have three entries that look something like this:

src 192.168.1.0/24 dst 192.168.1.0/24 
        dir fwd priority 2349 ptype main 
src 192.168.1.0/24 dst 192.168.1.0/24  
        dir in priority 2349 ptype main 
src 192.168.1.0/24 dst 192.168.1.0/24  
        dir out priority 2504 ptype main 

Those are the key.  You have to have all three, an "in", an "out" and a
"fwd".  With your version of OpenSWAN, you'll probably only see the one
entry (in I think).  You can add them by hand if you want to test it.
That's what I was doing with I was debugging the problem.

> Regards,
> Randy

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |
http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best
of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of
it!

More information about the Users mailing list