Solved

openswan stealing more specifically routed packets?

Posted on 2009-04-01
3
1,138 Views
Last Modified: 2012-06-27
I have an ipsec connection via openswan between two RFC1918 /24 subnets using linux (one old redhat, one new debian), which works fine.  I am now trying to route packets between two discreet hosts in those /24s over a different connection (adding host routes pointing at the router(s) which handle the new connection - the two hosts are part of a VoIP system that needs to use the new connection to avoid latency and other issues associated with the ipsec VPN).

Here's the problem - on the old redhat box (freeswan 1.x), the addition of the host route cause the desired result - the packets from one discreet host to the other travel out the interface which is connected to the router handling that end of the new connection, rather than the ipsec interface.  Perfect.  However, on the debian box (freeswan 2.x), the packets continue to be transmitted via the ipsec connection, even though I have more specific [host] route via the new connection.  WTF, mate?

This has all been verified with local sniffers (tcpdump).

Any ideas how to get around this?  

I suspect that this might be able to be worked around using "ip xfrm", experimental netfilter extensions (particularly the ROUTE destination), or policy routing using iproute2 tools, but this just seems silly, and overly complex.

Cheers,
-Jon

[ **** Edited by The--Captain - removed frustrated rants **** ]
0
Comment
Question by:The--Captain
  • 2
3 Comments
 

Accepted Solution

by:
MonitorSupport earned 500 total points
ID: 24095531
Alternatively and probably a better solution would be to add the backup route to the Security Policy table instead of changing the matching orders around.

I.e. 'ip xfrm policy list' shows you the current security policies as created by openswan when VPNs establish.

How could I use 'ip xfrm policy add ...' to insert the necessary Security Policies to act as backup VPN routes when the openswan tunnel policies are not in place?
0
 
LVL 16

Author Comment

by:The--Captain
ID: 24102485
Indeed, I have already fixed it and that is exactly the solution I used.

To get the packets to be passed along to the linux routing engine (to exempt them from being handed off to openswan) such that they use my alternate circuit, I used (except that I used my real IPs, and a /32 mask to exempt just two hosts):

ip xfrm policy add dir fwd src a.b.c.d/e dst f.g.h.i/j
ip xfrm policy add dir fwd dst a.b.c.d/e src f.g.h.i/j
ip xfrm policy add dir in src a.b.c.d/e dst f.g.h.i/j
ip xfrm policy add dir out dst a.b.c.d/e src f.g.h.i/j

I don't know if all of those are necessary, but it's working for me currently.

Thanks,
-Jon
0
 
LVL 16

Author Closing Comment

by:The--Captain
ID: 31565231
This would have led me to the correct solution, had I already not discovered it first.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Fine Tune your automatic Updates for Ubuntu / Debian
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now