[Openswan Users] How to apply the policy on a interface?

Paul Wouters paul at xelerance.com
Wed Aug 31 16:06:25 EDT 2011

On Wed, 31 Aug 2011, Diego Woitasen wrote:

> Hi,
> I have an IPSEC setup between two Linux gateways. It's working fine
> except for one thing. I have the subnet in one side and
> on the other side (the headquarters, with several subnets).
> Because I have leftsubnet= and rightsubnet= in
> the one of the sides the SPD has the following entries:
> src dst
>   .....
> src dst
>   .....
> src dst
>   .....
> If I ping from a host in the subnet to the gateway, I
> get no reply. That's clear for me because the policy says that
> security is required for anything that match
><-> To proof this, I get the ping working
> with this lines:
> ip xfrm policy add dir in src dst action allow
> ip xfrm policy add dir out src dst action allow
> Now, my question is... is it possible to configure Openswan in a way
> that the policy created after the SAs uses the interface as selector?

The netkey needs passthrough routes, as it does not do a match on longest prefix.

>From /etc/ipsec.d/examples/hub-spoke.conf:

Your subnet conn will be something like:

conn office1-headoffice

With NETKEY, since it enforces ipsec policy before routing, your ipsec
gateway on will now send packets for over the VPN!
In other words, you lose all connectivity with the LAN.

The work around is to add:

conn netkey-exclude


More information about the Users mailing list