[Openswan Users] netkey communication issue with local subnet

David Price davidp at bhi.com
Wed May 26 18:43:40 EDT 2010 

> On Mon, 24 May 2010, David Price wrote:
>> if this is normal or not. But, as soon as the VPN connection is
>> established I lose the ability for the router (10.200.3.254) and its
>> local internal network (10.200.3.*) to communicate (in either
>> direction).
>>	[...]
>
>You should add:
>
>conn VPNConn-passthrough
>         left=%defaultroute
>         right=0.0.0.0
>         leftsubnet=10.200.3.0/24
>         rightsubnet=10.200.3.0/24
> 	authby=never
>         type=passthrough
>         auto=route
>
>See also: /etc/ipsec.d/examples/hub-spoke.conf
>
>Paul

Thank you for pointing me in the right direction.

I took a look at the hub-spoke.conf file. It answered several questions.
I also took a look at http://www.openswan.org/docs/local/README.Kernel26
and tried several different variations for the passthrough config.
However, I couldn't put together a passthrough config that would
actually work for me.

When searching around on this issue it looks like the xfrm stuff is key.
When using verbatim what you provided above the generated relevant xfrm
policy looks like: 
...
src 10.200.3.0/24 dst 10.200.3.0/24
        dir in priority 2344
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport
src 10.200.3.0/24 dst 10.200.3.0/24
        dir out priority 2344
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport
...

After experimenting for a bit I came up with the following which removes
the openswan-generated passthrough xfrm rules and puts them back in. It
does effectively get traffic moving!

ip xfrm policy del src 10.200.3.0/24 dst 10.200.3.254/24 dir out
ip xfrm policy add src 10.200.3.0/24 dst 10.200.3.254/24 dir out
ip xfrm policy del src 10.200.3.0/24 dst 10.200.3.254/24 dir in
ip xfrm policy add src 10.200.3.0/24 dst 10.200.3.254/24 dir in

the resulting xfrm policy then looks like: 
src 10.200.3.0/24 dst 10.200.3.0/24 
        dir in priority 0
src 10.200.3.0/24 dst 10.200.3.0/24 
        dir out priority 0
...

I'd prefer not to resort to using xfrm commands directly. Anything else
I can try?

Thanks
-Dave

More information about the Users mailing list