[Openswan Users] Eroute after rekeying

Paul Wouters paul at xelerance.com
Thu Feb 17 16:50:01 EST 2011


On Thu, 17 Feb 2011, Andrew Nowrot wrote:

> conn tunnel1
>    leftsubnet=0.0.0.0/0
>    rightsubnet=0.0.0.0/0

> conn tunnel2
>    leftsubnet=0.0.0.0/0
>    rightsubnet=0.0.0.0/0

> But after renegotiation (rekeying each hour) the routes added by me
> are still pointing to old tunnels in this case tun0x1001.
>
> Is there I way to fix this? Or maybe I did somethig wrong?

I think you are trying "policy based VPN", but on "real" IPsec implementations
there is no such thing.

With the above configuration, openswan does not know where "0.0.0.0/0" resides,
as you configured it to be at 3 different locations. A network can really only
live at one location, unless you use SAref with KLIPS, where you can have
overlapip=yes and sareftrack=yes with the conn when using protostack=mast, upon
which openswan will mark packets with an SAref number to distinguish these
tunnels.

However, whether this marking will properly work for you with this config, I
don't know. Normally this is just to distinguish the rightsubnet's that are
overlapping, but you also overlap with leftsubnet. Now for incoming packets,
this is easy as they will get the mark (and so will their RELATED packets).
But if you want to initiate from your end, and you send a packet to 1.2.3.4,
then openswan will have no idea which of the two locations you want. You can
only accomplish that part by explicitely setting the SAref. You might want
to have a look in contrib/ for the netcat with SAref support and the ldso
saref wrapper.

What really should happen, is that you should not have these monstrosities
of tunnels. Because even if all of this works, you will have a nightmare
with firewall rules to prevent any of those sites to pretend to be you or
each other.

Paul


More information about the Users mailing list