Hey Guys, Some more info always helps. FS box is a gateway to a network, masquerades clients behind it, connected by ADSL using pppoe. Setting up VPN between windows XP RW direct to gateway of network.
I have pretty much assumed that the problem is not freeswan, but rather the routing tables making assumptions on IP. my routing tables starts out as: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 202.59.96.1 * 255.255.255.255 UH 0 0 0 ppp0 202.59.96.1 * 255.255.255.255 UH 0 0 0 ipsec0 172.16.34.0 * 255.255.255.0 U 0 0 0 eth1 loopback * 255.0.0.0 U 0 0 0 lo default 202.59.96.1 0.0.0.0 UG 0 0 0 ppp0 and then after 24hours (adsl provider forces temporary disconnect) it moves to Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 202.59.96.1 * 255.255.255.255 UH 0 0 0 ppp0 202.59.96.1 * 255.255.255.255 UH 0 0 0 ipsec0 172.16.34.0 * 255.255.255.0 U 0 0 0 eth1 loopback * 255.0.0.0 U 0 0 0 lo default 202.59.96.1 0.0.0.0 UG 0 0 0 ipsec0 It seems it happens because the kernel routing tables daemon or somesuch thing just finds the closest interface to an IP, and comes up with ipsec0. When the ppp0 iface comes back up it doesn't reestablish the default route back to ppp0. This must be a fairly common problem, how do people correct this ? -Michael On Wed, 30 Jul 2003 06:25 am, Sam Sgro wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > On Tue, 29 Jul 2003, Michael Carmody wrote: > > Have managed to get FreeSwan with x509 certs to connect to a WinXP box, > > and am very happy, except.... > > > > After about 24 hours the freeswan connection takes over the default > > route. > > > > i.e instead of deafult gateway pointing to the router via eth0, it > > becomes a pointer to the router via ipsec0. > > Here's a routing table as it appears after FreeS/WAN starts, (Without any > connections, that is) > > [EMAIL PROTECTED] sam]# route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface 66.12.183.64 0.0.0.0 255.255.255.240 U 0 0 > 0 eth0 66.12.183.64 0.0.0.0 255.255.255.240 U 0 0 > 0 ipsec0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 > 0 lo 0.0.0.0 66.12.183.65 0.0.0.0 UG 0 0 > 0 eth0 > > There are instances where FreeS/WAN can "take over" your default route - > notably, if you're using opportunistic encryption, your routing table will > look something like this: > > 66.11.183.64 0.0.0.0 255.255.255.240 U 0 0 0 > eth0 66.11.183.64 0.0.0.0 255.255.255.240 U 0 0 > 0 ipsec0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 > 0 lo 0.0.0.0 66.11.183.65 128.0.0.0 UG 0 0 > 0 ipsec0 128.0.0.0 66.11.183.65 128.0.0.0 UG 0 0 > 0 ipsec0 0.0.0.0 66.11.183.65 0.0.0.0 UG 0 > 0 0 eth0 > > Notice that the OE route is split into two /1 routes through ipsec0. Unless > you see these routes, your problem is unlikely to be with anything OE > related, and thus unlikely to be FreeS/WAN's doing. > > Can you post a "before" and "after" snapshot of your kernel routing table, > so we can confirm what you're seeing? > > Perhaps you've got your networking fouled up somehow, such that the default > route doesn't come back after the interface goes down briefly. How are you > acquiring this IP address? dhcp - is the lease 24 hours long? - or pppoe or > the like? > > > All internet access is then lost as all replies (and not just the link I > > wanted) are routed out ipsec0 and the router doesn't respond to the ipsec > > traffic. > > > > Have I made a silly assumption here ? Can I route all normal traffic out > > an eth interface and just traffic to a specific IP out the ipsec > > interface ? > > Yes, this is a very common configuration. > > - -- > Sam Sgro > [EMAIL PROTECTED] > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3ia > Charset: noconv > Comment: For the matching public key, finger the Reply-To: address. > > iQCVAwUBPybYOkOSC4btEQUtAQH09wQAlduI7msXIMSh46EEZOSCnPRlMyh9gIjo > Cky8ueBvkhcn3CcP1rxrG0rbj5rexvyR49xf0eG4qJFKI7Qn8luSBgFISMpdeHRZ > s6/4X3BhVrm9w4v08LVKq6FQNjrjGByc6cxWgPKB2jO0wzS2AKtSGYJRPrcaF9ID > IeMTj+umrJU= > =MX2X > -----END PGP SIGNATURE-----
