RE: [Users] freeswan routing question (route to 0/0)

From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Nov 27 2002 - 07:53:33 CET

• Next message: Sam Sgro: "Re: [Users] shared secrets in roadwarrior setup"
• Previous message: Sam Sgro: "Re: [Users] automatic tunnels"
• In reply to: Mark Weaver: "RE: [Users] freeswan routing question (route to 0/0)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 26 Nov 2002, Mark Weaver wrote:

> It will, and therein lies the problem. (I think I meant the eth0 link scope
> route for deletion, although I don't have another freeswan machine to try
> this on right now). It seems logical that if I set up a route to 0/0, all
> packets should go down the tunnel when established, overriding any routes
> that presently exist.

The crux of your problem is routing. Standard Linux routing rules dictate that
when choosing amongst overlapping routes, the most specific one should be
used. Thus, the 0/0 route doesn't actually kill the pre-existing link route to
10.0.5.0/24 over eth0, and the one we've created on ipsec0.

> For Windows clients I use SSH sentinel to establish a tunnel with a 0/0
> route, and the behaviour here is different from that of freeswan - all
> packets, including those to the 10.0.5.0/24 go to the gateway. This seems
> to be correct to me.

We make the assumption that you will be able to directly communicate with
nodes on your network, as defined by your IP and subnet mask; I think it's a
reasonable one. Thus, we don't go and muck about with removing routes, as we
would need to in this 0/0 case.

Routing communication to those nodes through the central gateway could be
deceptive, as you won't actually be communicating with those nodes securely;
packets would be promptly decrypted, and broadcast in the clear onto the
insecure 'net unless a secure communication method existed.

So, in the end, you are seeing behaviour we might expect to, and modifying the
_updown script to delete the link routes (as you've done) is be the easiest
solution I can see for your situation.

Anyhow, it's still food for thought. I'll run this scenario by one of the
WaveSEC developers to see if they think a change might be necessary.

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPeRr7kOSC4btEQUtAQFM4AP8CaHAIpgP7jPcwV/LDxfegI+FZlv9uEKQ
Ooi+k8/U6yRaJZ3YDJm0e1b+Z8Obc0w7vlp2sSMv0acPw7p4uXtiyrP7HVVEY+bH
CafQf1pgZoxkIJ+fJsC4QmCTj6mHMkp+xumsL9xfCMhOcBBLcBzKZ3xvbJd4xqi7
slw9x89DuIQ=
=vgwH
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Sam Sgro: "Re: [Users] shared secrets in roadwarrior setup"
• Previous message: Sam Sgro: "Re: [Users] automatic tunnels"
• In reply to: Mark Weaver: "RE: [Users] freeswan routing question (route to 0/0)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Nov 28 2002 - 05:20:52 CET