[Openswan Users] Public subnet extrusion

Niccolò Belli darkbasic at linuxsystems.it
Fri Feb 24 12:11:36 EST 2012


Il 24/02/2012 16:52, Paul Wouters ha scritto:
 > That is partially because the NETKEY IPsec stack is being retarded. For
 > netkey, tunneling 0.0.0.0/0 means tunnel everything, including LAN
 > traffic and the remote vpn IP. You might need to make a passthrough
 > route to avoid that, though that's difficult on roadwarriors as it
 > changes all the time.
 >
 > Your best bet is to leave the tunnel without sourceip= settings and then
 > using "ip route" and "ip rule" tricks to "prefer" the new IP as the
 > default for some traffic (eg port 80)
 >
 > An easier solution is probably to just use L2TP/IPsec, where the remote
 > gives you the 5.5.5.100 IP and the pppd deals with the routing and
 > traffic preferences for you.
 >
 > Paul

Hi,
I really don't understand how the hell it does work. If I don't use 
"leftsourceip", it doesn't tunnel anything despite rightsubnet=0.0.0.0/0!
Also, without nat it does work (nearly) flawlessly! Here is the working 
configuration without nat:


Server A:
eth0 5.5.5.1/24 (network 5.5.5.0/24) (PUBLIC)
eth1 172.16.1.1/16 (network 172.16.0.0/16) (PRIVATE)
eth2 6.6.6.1/32 (PUBLIC)
conn server1-server2
         authby=rsasig
         left=5.5.5.1
         leftsubnet=0.0.0.0/0
         leftrsasigkey=
         right=5.5.5.2
         rightsubnet=172.16.0.0/24
         rightid=@server2
         rightrsasigkey=
         type=tunnel
         auto=add

Server B:
eth0 5.5.5.2/24 (network 5.5.5.0/24) (PUBLIC)
eth1 172.16.0.1/24 (network 172.16.0.0/24) (PRIVATE)
conn server1-server2
         authby=rsasig
         left=5.5.5.2
         leftsubnet=172.16.0.0/24
         leftsourceip=172.16.0.1
         leftid=@server2
         leftrsasigkey=
         right=5.5.5.1
         rightsubnet=0.0.0.0/0
         rightrsasigkey=
         type=tunnel
         auto=start

Server A does NAT outgoing connections from 172.16.1.1/24 on IP 6.6.6.1 
and server B does surf the web with that ip. The strange thing is that 
server B does not tunnel the traffic toward 5.5.5.0/24 despite 
rightsubnet=0.0.0.0/0! Also the traffic toward 5.5.5.0/24 does origin 
from ip 5.5.5.2 despite leftsourceip=172.16.0.1!


Please someone explain how the hell does it work, I even bought your 
openswan book but it just explains the basics and not how stuff is 
really implemented.

At least it doesn't crash the whole system now: 
http://marc.info/?l=linux-netdev&m=133000782209351&w=2 :(

Thanks,
Niccolò

P.S.
I use Debian Squeeze amd64 on both machines.


More information about the Users mailing list