[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(racoon 930) RE: Multiple Routing tables don't work with IPSec... :(
- To: <racoon@kame.net>
- Subject: (racoon 930) RE: Multiple Routing tables don't work with IPSec... :(
- From: "David Herselman" <tempdh@syrex.cc>
- Date: Thu, 14 Apr 2005 10:26:31 +0200
- Delivered-to: racoon-archive@kame.net
- Delivered-to: racoon-outgo@kame.net
- Delivered-to: racoon@kame.net
- In-reply-to: <422E8ABA.3090202@gmc.lt>
- Organization: Syrex Intranets
- Reply-to: <tempdh@syrex.cc>
- Sender: owner-racoon@kame.net
- Thread-index: AcUl0HI9qvhXFtrQQfGv/Et2ETXFdAa+Wzlg
Uargh, haven't been reading mail at this address for a while, apologies
about the late response... :(
As mentioned in the original post, the actual VPN connections get
established without problems but only if the default route for the machine
is set to the interface being used.
Simple Diagram: ADSL ---------[ Racoon ]-------- Diginet
If I set 'route del default; route add default gw ADSL_IP' I can VPN in on
the ADSL interface
If I set 'route del default; route add default gw DIGINET_IP' I can VPN in
on the Diginet interface
The box has however got multiple routing tables setup using iproute2
(detailed in the original post) which routes traffic from Racoon's ADSL
interface to the ADSL gateway and traffic from the Diginet interface to the
Diginet router.
i.e. I can 'route del default' and still access e.g. the FTP server by
connecting to either the ADSL or the Diginet interface on the server. I
appears as if the racoon code only 'looks at' the main routing table and
doesn't look at 'ip rule show' the way everything else does that
enters/leaves the IPv4 stack (if that's the right name for it)...
1: Mainly used for Windows XP road warriors:
IP-UP.LOCAL sets the following: ($4 = ADSL IP)
/sbin/setkey -FP;
/sbin/setkey -F;
echo "spdadd $4[1701] 0.0.0.0/0[0] any -P out ipsec
esp/transport//require;" | /sbin/setkey -c;
2. Responder, Windows XP clients VPNing in to the network
3. I've attached the logs below
4. I've tested it with a default policy of 'ACCEPT' on INPUT, OUTPUT and
FORWARD whilst clearing all chains and rules; ie:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Iptables -t nat -F
Iptables -t nat -X
Iptables -F
Iptabels -X
> you told just a fraction of story.
> 1) what are your policies (setkey -DP); please omit keys if you're using
manual keying;
> 2) is this box acting as initiator or responder;
> 3) if you use automatic keying, to which point racoon succeeds
negotiation;
> 4) what are your iptables rules
> > Have a box with multiple interfaces and thus setup multiple routing
> > tables (iproute2). Problem is that I can only establish an IPSec
> > connection to the connection that is set as the default route on the
> > machine, all other network services however function perfectly on
> > either interface... Almost like IPSec stack only 'follows' the main
> > routing table and doesn't go through 'iproute2' which everything else
goes through...
> >
> > Configuration:
> >
> > /etc/iproute2/rt_tables:
> > 200 ADSL
> > 201 Diginet
> >
> > ip route show table ADSL
> > default via 163.146.64.1 dev ppp0
> >
> > ip route show table Diginet
> > default via 194.23.146.225 dev eth1
> >
> > ip rule show
> > 0: from all lookup local
> > 32764: from 163.146.71.155 lookup ADSL
> > 32765: from 194.23.146.224/28 lookup Diginet
> > 32766: from all lookup main
> > 32767: from all lookup 253
> >
> > route -n
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use
> > Iface
> > 163.146.64.1 0.0.0.0 255.255.255.255 UH 0 0 0
ppp0
> > 194.23.146.224 0.0.0.0 255.255.255.240 U 0 0 0
eth1
> > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
> > 0.0.0.0 164.146.64.1 0.0.0.0 UG 0 0 0
ppp0
Syrex Intranets - Customised Solutions
David Herselman
Managing Member
B.Compt, MCSE, Team OS/2, Unix Admin, A+
cell +27 (0)82 784 7222
tel +27 (0)86 11 syrex (79739)
fax +27 (0)86 12 syrex (79739)
27 7th avenue parktown north 2193
email dh@syrex.cc
www.syrex.co.za