Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] IPIP tunneling with IPSec

From: Cédric de Launois (delaunoi_at_info.ucl.ac.be)
Date: Mon Apr 22 2002 - 12:16:58 CEST

Next message: Íõ ÆŒ: "[Users] problem with patching x509 certificate"
Previous message: Wasiq N: "[Users] problems with KLIPS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I get a strange routing problem when doing IPIP tunneling with IPSec.
My goal is to give the client a public IP address and to tunnel its
public packets through an IPIP tunnel which uses an IPSec connection.

First, here's my (simplified) network configuration :

---------- Router ------------------------------------------ client
a.b.c.d:eth0 eth1:192.168.0.1 eth0:192.168.0.3

My ipsec connection uses the eth1 interface and is a host-to-host
connection between my router and my client :

---------- Router ------------------------------------------ client
a.b.c.d:eth0 ipsec1:192.168.0.1 ipsec0:192.168.0.3

And, finally, over the ipsec connection, I set up an IPIP tunnel:

---------- Router ------------------------------------------ client
a.b.c.d:eth0 tunl1:w.x.y.z tunl1:w.x.y.z

To make things more clear, here's my (simplified) kernel routing table
on the server:

Destination Gateway Genmask Indic Use Iface
192.168.0.3 192.168.0.3 255.255.255.255 UGH ipsec1
192.168.0.0 0.0.0.0 255.255.255.0 U eth1
192.168.0.0 0.0.0.0 255.255.255.0 U ipsec1

And here's my ipip tunnel configuration:

tunl1: ip/ip remote 192.168.0.3 local 192.168.0.1 dev ipsec1 ...

Here's my problem: when I force my ipip tunnel to use the ipsec
interface (by adding 'dev ipsec1' to the tunnel), everything goes well:
packets going through my tunnel are encrypted through ipsec1 and
are correctly sent to the client.

BUT, I really don't want to specify the interface to use for my ipip
tunnel, and when I don't specify it, packets get dropped by the
ipip tunnel interface. This is weird since, when not specifying the
interface to use, the interface selected should be the first matching
in the kernel routing table, which is in my case the ipsec1 interface
(first entry matching destination 192.168.0.3).
This behaviour does not occur when the interface is not an ipsec
interface.

So my question is : why the ipsec interface is not selected as the
interface to use for client 192.168.0.3 ?

Thanks in advance for your help,

Cédric de Launois

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Íõ ÆŒ: "[Users] problem with patching x509 certificate"
Previous message: Wasiq N: "[Users] problems with KLIPS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:52 CEST