[Openswan Users] IP XFRM/Netkey/Stale Routes/%pass
Rick Olson
rick at yun.io
Sat Sep 11 10:40:19 EDT 2010
Hello,
I run an openswan VPN server setup as a standard roadwarrior connection,
using netkey. I have issues with the XFRM policies generated from
pluto, which I've had to resort to managing "manually" in the _scariest_
possible way via the _updown.netkey shell script.
There is actually a core bug here, which I am not awesome enough to
figure out a solution for, in spite of my best efforts.
The most relevant mail-posting I've found is initiated from Bob Miller,
at http://readlist.com/lists/openswan.org/users/2/10805.html
with a response from Tuomo Soini at:
http://readlist.com/lists/openswan.org/users/2/10815.html
The first lead-on to this issue happened with the following in ipsec
auto --status output ending in:
000 xx.xx.xx.xx/32:0 -0-> yy.yy.yy.yy/32:0 => %pass 0 no routed
template covers this pair
This was caused by OSX clients connecting and creating a ip xfrm policy
that was what I consider a "blanket" policy, breaking the entire state
of ipsec until the policy was explicitly deleted (manually) or until
ipsec was restarted (causing that policy to be deleted implicitly). [it
was 'bleve' in IRC that pointed out the %pass bug problem to me]
So I dug into openswan source code, and I dug, and I found
programs/pluto/kernel_netlink.c which is what appears to be
creating/managing the XFRM policies, and I hacked the code; but I did
not prevail. But evidently, I'm in completely the wrong place anyway,
so maybe it's better I was not successful.
So like I said at the beginning of the email, I'm managing xfrm policies
in the _scariest_ possible way via the _updown.netkey script via the
following abomination in "doroute()" (recently removed in commit
f982116e3048661b1cfc1c9837e6c3481b2dcc5d, but regardless my problem
remains even in current HEAD):
doroute() {
if [ "$1" = "del" -o "$1" = "replace" ]; then
#OSX FIX
ip xfrm policy show | egrep '^src(.*)dst(.*)proto udp $' | xargs
ip xfrm policy delete dir out
# Guess OSX FIX wasn't that great, Windows too now
if [ "$1" = "del" ]; then
ip xfrm policy show | grep "${PLUTO_PEER}" | xargs ip
xfrm policy delete dir out
fi
fi
[............]
}
While I currently have this creepy hack in place, I'm wondering how I
should go about filing a proper bug report for this issue, or if someone
who knows more about this problem might be able to file one in the
correct space.
Cheers,
Rick
(yun on IRC, I pop in every once in a while :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20100911/55dedf39/attachment.bin
More information about the Users
mailing list