Re: [Users] freeswan routing question (route to 0/0)

From: Sam Sgro (sam_at_freeswan.org)
Date: Mon Nov 25 2002 - 06:24:30 CET

• Next message: Sam Sgro: "Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not established)"
• Previous message: D. Hugh Redelmeier: "Re: [Users] INTERNAL ERROR - SA specifier lacks valid protocol prefix"
• In reply to: Mark Weaver: "[Users] freeswan routing question (route to 0/0)"
• Next in thread: Mark Weaver: "RE: [Users] freeswan routing question (route to 0/0)"
• Reply: Mark Weaver: "RE: [Users] freeswan routing question (route to 0/0)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Sat, 23 Nov 2002, Mark Weaver wrote:

> The tunnel is 0/0 -- 10.0.5.1 --- 10.0.5.27/32.
>
> The tunnel is brought up fine, and the routes are correct for everything
> apart from the LAN over which the tunnel is established:
>
> 10.0.5.0/24 dev eth0 proto kernel scope link src 10.0.5.27
> 10.0.5.0/24 dev ipsec0 proto kernel scope link src 10.0.5.27
> 127.0.0.0/8 dev lo scope link
> 0.0.0.0/1 via 10.0.5.1 dev ipsec0
> 128.0.0.0/1 via 10.0.5.1 dev ipsec0
> default via 10.0.5.1 dev eth0
>
> The problem is that 10.0.5.0/24 (the LAN) is not routed through the gateway.

So, your goal is to have traffic for the network this device logically lies
upon communicated to the gateway via the ipsec tunnel. Won't the device that
you intend to communicate with simply respond directly to that IP address in
the clear, or do I misunderstand your intent?

> I can get around this by simply deleting the link scope route, using a
> custom _updown script.

Do you mean the ipsec0 "link scope" route, or both the link scope routes
listed above? It seems that if you were to only delete the ipsec0 link scope
route, little would change (as the most specific route to your LAN would still
lie down eth0, and not down the encrypted tunnel.)

Given that the ipsec0 device has the same IP and lies on the same network as
eth0, I think it makes sense for Pluto to create this route, mimicing the
behavior of the existing interface.

Regardless, the more specific route will take precedence.

> (btw, would other people find it useful to have
> something along the lines of :
>
> SCRIPT="/etc/ipsec/$PLUTO_CONNECTION.updown"
> [ -x $SCRIPT ] && $SCRIPT up
>
> in the _updown scripts, making it easy to have custom _updown rules that
> simply modify the defaults? I've used this method for a while...)

You may want to make a post on the Design list with a bit more detail, to
soliciting comments from other team members.

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPeG0D0OSC4btEQUtAQFxyAQA2OygEniQPviAKHeAySaQ/IjMrBJpTIgj
mX6IAASp0CMBGryKtQSdMBao9pSJB9+PCrhpN2jTBCmCtX+5YU6fbCutagYwGsVA
l11lq71g8j6yrRp7QDamVMKx3QJiHYflqRcXImFPvp8zscuqDL3ZpKB2fa8vhHJl
jIBktLwMiRA=
=07b/
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Sam Sgro: "Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not established)"
• Previous message: D. Hugh Redelmeier: "Re: [Users] INTERNAL ERROR - SA specifier lacks valid protocol prefix"
• In reply to: Mark Weaver: "[Users] freeswan routing question (route to 0/0)"
• Next in thread: Mark Weaver: "RE: [Users] freeswan routing question (route to 0/0)"
• Reply: Mark Weaver: "RE: [Users] freeswan routing question (route to 0/0)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Nov 27 2002 - 05:20:51 CET