[Openswan Users] How to apply the policy on a interface?

Paul Wouters paul at xelerance.com
Wed Aug 31 16:06:25 EDT 2011


On Wed, 31 Aug 2011, Diego Woitasen wrote:

> 
> Hi,
> I have an IPSEC setup between two Linux gateways. It's working fine
> except for one thing. I have the subnet 10.12.160.0/24 in one side and
> 10.0.0.0/8 on the other side (the headquarters, with several subnets).
> Because I have leftsubnet=10.12.160.0/24 and rightsubnet=10.0.0.0/8 in
> the one of the sides the SPD has the following entries:
>
> src 10.12.160.0/24 dst 10.0.0.0/8
>   .....
> src 10.0.0.0/8 dst 10.12.160.0/24
>   .....
> src 10.0.0.0/8 dst 10.12.160.0/24
>   .....
>
> If I ping from a host in the subnet 10.12.160.0/24 to the gateway, I
> get no reply. That's clear for me because the policy says that
> security is required for anything that match
> 10.0.0.0/8<->10.12.126.0/24. To proof this, I get the ping working
> with this lines:
>
> ip xfrm policy add dir in src 10.12.160.0/24 dst 10.12.160.0/24 action allow
> ip xfrm policy add dir out src 10.12.160.0/24 dst 10.12.160.0/24 action allow
>
> Now, my question is... is it possible to configure Openswan in a way
> that the policy created after the SAs uses the interface as selector?

The netkey needs passthrough routes, as it does not do a match on longest prefix.

>From /etc/ipsec.d/examples/hub-spoke.conf:

Your subnet conn will be something like:

conn office1-headoffice
 	left=someip
 	leftsubnet=10.0.1.0/24
 	right=someip
 	rightsubnet=10.0.0.0/8
 	[...]

With NETKEY, since it enforces ipsec policy before routing, your ipsec
gateway on 10.0.1.1 will now send packets for 10.0.1.2 over the VPN!
In other words, you lose all connectivity with the LAN.

The work around is to add:

conn netkey-exclude
         left=10.0.1.1
         leftsubnet=10.0.1.0/24
         right=0.0.0.0
         rightsubnet=10.0.1.0/24
         authby=never
         type=passthrough
         auto=route

Paul


More information about the Users mailing list