[Openswan Users] What does openswan/netkey by way of a default route?

Whit Blauvelt whit at transpect.com
Wed Mar 10 16:08:20 EST 2010

On Wed, Mar 10, 2010 at 08:35:32PM +0200, Tuomo Soini wrote:

> > There is no use of "%defaultroute" in my ipsec.conf. There has not been. Yet
> > pluto is not just working. I want to find the way to fix it that depends
> > neither on %defaultroute nor on having a default route in my main routing
> > table.
> I don't say it's simple to get ipsec working with multiple default
> routes. First of all. you must make sure that correct routing table with
> only one default route is used when source ip is one used by openswan.

The problem doesn't look to me to be at the level of which routing table is
used. I've got a well-proven, if complex, implementation there between the
rules and the routes. The real question may be one of understanding just
which routing rule needs to be created specifically for the tunnel - if one
does at all, considering this is netkey and it's using the somewhat
mysterious and almost totally undocumented xfrm feature of iproute2. By some
accounts stuff handled by xfrm may not need routes set too, since it has
similar functionality. But I can't find a full definition of their overlap
and interaction.

So that's what I need to find or create a good map of: Given the public IPs
and private subnets involved, what's the required end result in terms of
xfrms, rules, routes and iptables tricks to get packets using the tunnel? I
understand that this works automatically, for a simple system, with a single
IP on a single public interface, with the default route as defined in the
routing table. But for a complex system, with multiple IPs per interface,
more than two interfaces, and no default route assigned whatsoever in the
main routing table, what every automated tricks Openswan and company use are
failing to put everything in place.

If I had a good definition of what all needs to be put in place, I could
code up a script to fix it. Since this is site-to-site, not road warrior,
and just needs to be a static setup (well, except for failover to the second
public line when needed), it doesn't need all the automated magic. I've no
problem with hard coding it, if the result is once that's done it just


More information about the Users mailing list