LARTC - Aug 2004 - Advanced Routing and FreeSwan

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
I''m trying to setup a central IPSEC-Gateway with several ipsec tunnels.
Some are to be routed over one leased line, some over the other leased
line. Both leased lines have their own public ip adress.
The setup looks kinda like this:


eth1(ipsec0)--ISP0--Internet--eth1-Linux1-eth0--Subnet1
                                  /
(ipsec-tunnel0)
Intranet--eth0-Linux-HQ
                                  \
(ipsec-tunnel1)

eth2(ipsec1)--ISP1--Internet--eth1-Linux2-eth0--Subnet2

I wanted to use the advanced routing features (ip command) of the linux
kernel to solve the routing issues. When advanced routing is activated I
can start tunnel0. After a few seconds their is still traffic on ipsec0
but not eth1.
When I deactivate advanced routing and bring down eth2, tunnel0 works
flawlessly.
I used Debian Stable with kernel 2.4.20
Freeswan: 1.98b

The setup for the advanced routing looks like this:
- -snip-
#!/bin/sh

function ip {
  echo ip "$@"
  /sbin/ip "$@"
}

[ "$DEBUG" != "1" ] && unset ip

# P1 Gateway, P1_NET Network address, IP1 local address, IF1 interfac
e
export IF1=eth0
export IP1=212.202.224.34
export P1=212.202.224.33
export P1_NET=212.202.224.32/29

export IF2=eth2
export IP2=83.236.132.166
export P2=83.236.132.165
export P2_NET=83.236.132.164/30

if [ "$1" == "start" ]; then
  echo ''Setting up advanced routing''


  ip route add $P1_NET via $P1 src $IP1 table qsc1
  ip route add default via $P1 table qsc1
  ip route add $P2_NET via $P2 src $IP2 table qsc2
  ip route add default via $P2 table qsc2
  ip route add 192.168.2.0/24 dev ipsec0 table qsc1

  ip rule add from $IP1 table qsc1
  ip rule add from $IP2 table qsc2

  ip route flush cache

elif [ "$1" == "stop" ]; then
  ip route flush table qsc1
  ip route flush table qsc2

  ip rule del from $IP1 table qsc1
  ip rule del from $IP2 table qsc2

  ip route flush cache

  echo ''Stopping advanced routing''
else
  echo ''Unknown parameter ''$1
fi

Any help is greatly appreciated.

Ciao,
Philip
- --
LINET Services GbR

Gotenweg 15                      Tel.: 0531-280 191 71
38106 Braunschweig               Fax.: 0531-280 191 72

http://www.linet-services.de
mailto:info@linet-services.de

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFBG27yHf7qoDPJh6ERAks7AKC8hMMukXnAaA2SKhik+EJUu7ukewCgvL4o
4tNDTbFs09eEbAg6lcVSJsQ=buZw
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/