[Openswan Users] Returned packages are forwarded to wrong interface

Pedro Batista pedosb at gmail.com
Thu Oct 30 19:02:54 EDT 2014


Hello, I have a working tunnel with IPsec using netkey when I have only one
WAN. The thing is, I wanna to setup a split access (using policy based
routing) in a single gateway so I ca have 3 WAN interfaces.

I will describe my setup. I have the 192.168.50.0/24 network connecting to
the remote network 192.168.201.0/24, as gateway I am using 0.0.0.0 in the
eth2 interface and for my internal network 192.168.50.5 in the eth0
interface. The remote gateway is 1.1.1.1. Bellow is the interesting part
from both ip addr list and the ipsec.conf:

[root at moses ~]# ip addr list
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
    inet 192.168.50.5/24 brd 192.168.50.255 scope global eth0
...
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
    inet 0.0.0.0/25 brd 0.0.0.255 scope global eth2
...


[root at moses ~]# cat /etc/ipsec.d/vpn.conf
...
left         = 0.0.0.0
leftsubnets  = { 192.168.50.0/24 }
right        = 1.1.1.1
rightsubnets = { 192.168.201.0/24 }
...


For my policy based routing, I have a table called trinn which will route
all traffic coming from 0.0.0.0, besides my local route. Here is the
interesting part of ip route list, ip rule list and from my private routing
table ip route list table trinn:

[root at moses ~]# ip route list
...
0.0.0.128/25 dev eth2  proto kernel  scope link  src 0.0.0.0
192.168.50.0/24 dev eth0  proto kernel  scope link  src 192.168.50.5
...


[root at moses ~]# ip rule list
0:      from all lookup local
...
32762:  from 0.0.0.0 lookup trinn
...
32766:  from all lookup main
32767:  from all lookup default


[root at moses ~]# ip route list table trinn
0.0.0.128/25 dev eth2  scope link  src 0.0.0.0
192.168.50.0/24 dev eth0  scope link  src 192.168.50.5
default via 0.0.0.129 dev eth2


When I try to ping the remote host 192.168.201.173 the ICMP package gets
correctly routed, coming from eth0, the it is encrypted and sent though
eth2. Then I receive an encrypted package from the remote host 1.1.1.1
which is decrypted and should be routed though eth0, but is instead sent
though eth2, so it can not reach its destination who is only accessible
though eth0. Bellow tcpdump of the situation I just described is shown.

[root at moses ~]# tcpdump -i eth0 host 1.1.1.1 or host 192.168.50.131
20:38:23.957066 IP 192.168.50.131 > 192.168.201.173: ICMP echo request, id
27920, seq 1, length 64

[root at moses ~]# tcpdump -i eth2 host 1.1.1.1 or host 192.168.50.131
20:38:23.957122 IP 0.0.0.0 > 1.1.1.1: ESP(spi=0x0c519031,seq=0x9), length
116
20:38:23.987502 IP 1.1.1.1 > 0.0.0.0: ESP(spi=0x241bd80a,seq=0xc), length
116
20:38:23.987502 IP 192.168.201.173 > 192.168.50.131: ICMP echo reply, id
27920, seq 1, length 64


I did some research and found a old post which could be a similar problem,
but it is not resolved (
https://lists.openswan.org/pipermail/users/2010-March/018548.html) I prefer
to try to resolve the issue using netkey since it is supported by CentOS
6.5. Can you help me?

--
Pedro Batista
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141030/4dcb04b6/attachment.html>


More information about the Users mailing list