?
Solved

openswan stealing more specifically routed packets?

Posted on 2009-04-01
3
Medium Priority
?
1,207 Views
Last Modified: 2012-06-27
I have an ipsec connection via openswan between two RFC1918 /24 subnets using linux (one old redhat, one new debian), which works fine.  I am now trying to route packets between two discreet hosts in those /24s over a different connection (adding host routes pointing at the router(s) which handle the new connection - the two hosts are part of a VoIP system that needs to use the new connection to avoid latency and other issues associated with the ipsec VPN).

Here's the problem - on the old redhat box (freeswan 1.x), the addition of the host route cause the desired result - the packets from one discreet host to the other travel out the interface which is connected to the router handling that end of the new connection, rather than the ipsec interface.  Perfect.  However, on the debian box (freeswan 2.x), the packets continue to be transmitted via the ipsec connection, even though I have more specific [host] route via the new connection.  WTF, mate?

This has all been verified with local sniffers (tcpdump).

Any ideas how to get around this?  

I suspect that this might be able to be worked around using "ip xfrm", experimental netfilter extensions (particularly the ROUTE destination), or policy routing using iproute2 tools, but this just seems silly, and overly complex.

Cheers,
-Jon

[ **** Edited by The--Captain - removed frustrated rants **** ]
0
Comment
Question by:The--Captain
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Accepted Solution

by:
MonitorSupport earned 1500 total points
ID: 24095531
Alternatively and probably a better solution would be to add the backup route to the Security Policy table instead of changing the matching orders around.

I.e. 'ip xfrm policy list' shows you the current security policies as created by openswan when VPNs establish.

How could I use 'ip xfrm policy add ...' to insert the necessary Security Policies to act as backup VPN routes when the openswan tunnel policies are not in place?
0
 
LVL 16

Author Comment

by:The--Captain
ID: 24102485
Indeed, I have already fixed it and that is exactly the solution I used.

To get the packets to be passed along to the linux routing engine (to exempt them from being handed off to openswan) such that they use my alternate circuit, I used (except that I used my real IPs, and a /32 mask to exempt just two hosts):

ip xfrm policy add dir fwd src a.b.c.d/e dst f.g.h.i/j
ip xfrm policy add dir fwd dst a.b.c.d/e src f.g.h.i/j
ip xfrm policy add dir in src a.b.c.d/e dst f.g.h.i/j
ip xfrm policy add dir out dst a.b.c.d/e src f.g.h.i/j

I don't know if all of those are necessary, but it's working for me currently.

Thanks,
-Jon
0
 
LVL 16

Author Closing Comment

by:The--Captain
ID: 31565231
This would have led me to the correct solution, had I already not discovered it first.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Fine Tune your automatic Updates for Ubuntu / Debian
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question