[Openswan Users] Route-based VPN

Paul Wouters paul at xelerance.com
Mon Oct 25 18:58:15 EDT 2010

On Mon, 25 Oct 2010, Vincent Bernat wrote:

>>> I would like to use routes like this:
>>> ip route add net1 dev ipsec0
>>> ip route add net2 dev ipsec0
>>> ip route add net3 dev ipsec1
>>> ip route add net4 dev ipsec1
>> I don't understand why. For klips it does not matter via which interface it got
>> the packet,  and it does  not record/keep that information  around for
>> anything.
> For both VPN,  the rightsubnet is set to (essentially because
> this is the  only subnet that the remote ISG will  accept in this mode).
> This  means that for  one packet,  I have  two possible  VPN to  use for
> encryption. I would like to select the correct VPN using routes.  If the
> packet is routed to  ipsec0, then I would like to use  the first VPN, if
> it is routed to ipsec1, then I would like to use the second VPN.
> If KLIPS ignore  the incoming interface, I suppose  this is not possible
> to work like this.

Yeah, that cannot work. If you want to do something like that, look at the
MAST stack (klipsng) and SArefs. Then, you can send traffic for an overlapping
IP using iptables MARKing of the SAref. Per default, it would MARK based on
the received packet's tunnel SA, and via iptables keep track of the answers
to send back over the right SA. For initiating packets, you will need to set
the MARK somehow. This can be done in C, g:

    struct msghdr msgh;
     struct cmsghdr *cmsg;
     unsigned int saref = 1234;  // some SAref


     cmsg = CMSG_FIRSTHDR(&msgh);
     cmsg->cmsg_level = IPPROTO_IP;
     cmsg->cmsg_type  = IP_IPSEC_REFINFO;
     cmsg->cmsg_len   = CMSG_LEN(sizeof(unsigned int));
     *((unsigned int *)CMSG_DATA(cmsg)) = saref;


     rc = sendmsg(socket, &msg, 0);

Or using a PRELOAD hack.

See further:



More information about the Users mailing list