[Openswan Users] Eroute after rekeying

Andrew Nowrot andrew.nowrot at gmail.com
Fri Feb 18 15:06:10 EST 2011


On 17 February 2011 22:50, Paul Wouters <paul at xelerance.com> wrote:
> On Thu, 17 Feb 2011, Andrew Nowrot wrote:
>
>> conn tunnel1
>>   leftsubnet=0.0.0.0/0
>>   rightsubnet=0.0.0.0/0
>
>> conn tunnel2
>>   leftsubnet=0.0.0.0/0
>>   rightsubnet=0.0.0.0/0
>
>> But after renegotiation (rekeying each hour) the routes added by me
>> are still pointing to old tunnels in this case tun0x1001.
>>
>> Is there I way to fix this? Or maybe I did somethig wrong?
>
> I think you are trying "policy based VPN", but on "real" IPsec
> implementations
> there is no such thing.
>
> With the above configuration, openswan does not know where "0.0.0.0/0"
> resides,
> as you configured it to be at 3 different locations. A network can really
> only
> live at one location, unless you use SAref with KLIPS, where you can have
> overlapip=yes and sareftrack=yes with the conn when using protostack=mast,
> upon
> which openswan will mark packets with an SAref number to distinguish these
> tunnels.
>
> However, whether this marking will properly work for you with this config, I
> don't know. Normally this is just to distinguish the rightsubnet's that are
> overlapping, but you also overlap with leftsubnet. Now for incoming packets,
> this is easy as they will get the mark (and so will their RELATED packets).
> But if you want to initiate from your end, and you send a packet to 1.2.3.4,
> then openswan will have no idea which of the two locations you want. You can
> only accomplish that part by explicitely setting the SAref. You might want
> to have a look in contrib/ for the netcat with SAref support and the ldso
> saref wrapper.
>
> What really should happen, is that you should not have these monstrosities
> of tunnels. Because even if all of this works, you will have a nightmare
> with firewall rules to prevent any of those sites to pretend to be you or
> each other.
>
> Paul
>
Hi

Thanks for your answer.

I added protostack=mast and sareftrack=yes and it cause openswan to
hung. It did not respond to any command (I had to kill -9 it
eventually). So maybe saref does not work with either leftsubnet and
rightsubnet as  0.0.0.0/0.

Best regards
Andrew


More information about the Users mailing list