[Openswan Users] What does openswan/netkey by way of a default route?

Whit Blauvelt whit at transpect.com
Wed Mar 10 07:58:55 EST 2010 

Paul,

> There are a few reasons why openswan might need to know a default route
> 
> 1) when using left/right=%defaultroute to bind to the proper interface
>    for the IKE daemon
> 2) For KLIPS, where the IPsec stack actually obtains packets via routing,
>    and thus routing matters (it uses two "half routes" to grab all packets)
>    (NETKEY grabs packets differently, and should not be depending on routing)
> 3) I belive some corner cases require NETKEY to know the default gateway
>    and routing too. I believe only when using 0.0.0.0/0 subnets (eg "extruded
>    network"). Perhaps when using left/rightsourceip=. See _updown.netkey
> 
> I *think* a non-specified nexthop setting assumes a left/rightnexthop=%defaultroute,
> which then might again imply needing a default route.

What I need to know is not why Openswan _might_ need to know a default
route, but how to give it what it needs _without_ having a default route in
my system configuration main table. So I need to know:

1. What routing is required for it (by way of non-default routes and rules)

2. What stuff in other places gets set based on default routing assumptions,
   that needs to be set otherwise for a non-default route configuration

>From your list I'm not using %defaultroute (1). Years back I had KLIPS (2)
working on a _very_ similarly-configured system, so I believe it does _not_
require a default route (but haven't found how to compile your version for
Ubuntu yet). What I'm needing to comprehend is (3), what to do with netkey.
I've looked at _updown.netkey but haven't made full sense of it.

> >Went over and looked at Strongswan, and that's far, far less documented.
> >Scarey. Has the world gone so strongly over to using either appliances or
> >OpenVPN that Linux IPsec is just fading away?
> 
> Nobody pays for documentation. I'd gladly accept donations in the form of money
> or students or time to remedy this. The man pages should be up to date (we do
> spend the time on that) and there is a wealth of information in the users at openswan.org
> mailing list archive - though by now often with dead links too.

Oh, I'm not blaming anyone. Just noting that it takes a critical mass of
people using a package, and writing up their experiences in places the
writeups can be found - formerly magazine articles, now blog articles,
always how tos, now wikis - places with more organization than mailing
lists, and less terse than man pages. Man pages work great if you already
know the thing and need a reference. Mailing lists are just too hard to
search fruitfully. I've spent hours Googling with the search limited to
lists.openswan.org now. The noise from the unanswered questions obfuscates
the few posts that provide more than a partial answer to anything. And then
the answers found don't match the current iteration of the package. Broader
searches for key combinations like "netkey openswan routing" provide nothing
of interest. So when it doesn't work out of the box, it looks like the odds
aren't good on being able to use it without serious reverse engineering.

Best,
Whit

More information about the Users mailing list