[Openswan Users] Returned packages are forwarded to wrong interface

Pedro Batista pedosb at gmail.com
Thu Oct 30 19:02:54 EDT 2014

Hello, I have a working tunnel with IPsec using netkey when I have only one
WAN. The thing is, I wanna to setup a split access (using policy based
routing) in a single gateway so I ca have 3 WAN interfaces.

I will describe my setup. I have the network connecting to
the remote network, as gateway I am using in the
eth2 interface and for my internal network in the eth0
interface. The remote gateway is Bellow is the interesting part
from both ip addr list and the ipsec.conf:

[root at moses ~]# ip addr list
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
    inet brd scope global eth0
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
    inet brd scope global eth2

[root at moses ~]# cat /etc/ipsec.d/vpn.conf
left         =
leftsubnets  = { }
right        =
rightsubnets = { }

For my policy based routing, I have a table called trinn which will route
all traffic coming from, besides my local route. Here is the
interesting part of ip route list, ip rule list and from my private routing
table ip route list table trinn:

[root at moses ~]# ip route list
... dev eth2  proto kernel  scope link  src dev eth0  proto kernel  scope link  src

[root at moses ~]# ip rule list
0:      from all lookup local
32762:  from lookup trinn
32766:  from all lookup main
32767:  from all lookup default

[root at moses ~]# ip route list table trinn dev eth2  scope link  src dev eth0  scope link  src
default via dev eth2

When I try to ping the remote host the ICMP package gets
correctly routed, coming from eth0, the it is encrypted and sent though
eth2. Then I receive an encrypted package from the remote host
which is decrypted and should be routed though eth0, but is instead sent
though eth2, so it can not reach its destination who is only accessible
though eth0. Bellow tcpdump of the situation I just described is shown.

[root at moses ~]# tcpdump -i eth0 host or host
20:38:23.957066 IP > ICMP echo request, id
27920, seq 1, length 64

[root at moses ~]# tcpdump -i eth2 host or host
20:38:23.957122 IP > ESP(spi=0x0c519031,seq=0x9), length
20:38:23.987502 IP > ESP(spi=0x241bd80a,seq=0xc), length
20:38:23.987502 IP > ICMP echo reply, id
27920, seq 1, length 64

I did some research and found a old post which could be a similar problem,
but it is not resolved (
https://lists.openswan.org/pipermail/users/2010-March/018548.html) I prefer
to try to resolve the issue using netkey since it is supported by CentOS
6.5. Can you help me?

Pedro Batista
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141030/4dcb04b6/attachment.html>

More information about the Users mailing list