[Openswan Users] What does openswan/netkey by way of a default route?

Whit Blauvelt whit at transpect.com
Wed Mar 10 08:11:15 EST 2010

On Wed, Mar 10, 2010 at 09:58:46AM +0200, Tuomo Soini wrote:

> openswan-2.6.x doesn't need default route with netkey. But that means
> you can't use %defaultroute anywhere in your config. That's only
> limitation. I have multi-isp setup without default route in main table
> and vpn works well.

Thanks Toumo. I'm not using %defaultroute.

> On current version (2.6.24) you get clear warning about default route
> not being detected. In case of multiple default routes pluto can't
> really know which one is correct one to use.

I'm using 2.6.24. I got the warning. It's only partially useful though since
it doesn't suggest any solution aside from setting a default route - which
isn't a compatible solution for my config. You suggest I need to help pluto
here somehow. I've looked briefly at pluto, it's quite complex. How should I
instruct it, in a config where there's no default route for it to deduce
things from in the routing table, what route to use? What does it need set,
where, to work? To be clear, I need this to go out on an external IP that is
dedicated to IPsec, on an interface with multiple IPs. Nothing else will be
defaulting to this IP. Other stuff does go out, by various IPs, on this
interface. It's handling the initial negotiation now on it, just not the
subnet routing.

> Whole %defaultroute stuff is for simple setups, especially road warriors
> with dynamic ip.

That's cool. We used it for road warriors with FreeSWAN, before we
discovered that OpenVPN made them all a lot happier. What we need now is a
site-to-site setup from a complex system to a stock Cisco. It's in
site-to-site stuff that IPsec still has unique advantages over SSL VPN
methods. I'm sure that step or steps I need to complete this are simple,
just unknown to me and hard to find documented. 

Also the startup of Openswan appears a bit fragile, in terms of going wrong
with configuation directive combinations that ought not break it, and
perhaps timing issues on startup. But that stuff can be worked around. What
I need to know is, when that warning about not finding a default route comes
up, what steps to take to compensate for the situation not being the one
Openswan expects, by default, to find.


More information about the Users mailing list