Problem with 2 tunnels to same network

Hello,

I have been a freeswan users for years and never really had
a lot of issues with it, unfortunatly I have found Openswan
to be a bit more difficult to get going. The Freeswan config
I am replacing required a tunnel from LAN A to LAN B and
that was easy to replicate. The problem seems to come in
with the second tunnel that goes from the external IP of LAN
B's gateway to LAN A. We use this second tunnel to replicate
DNS zone data from LAN A to the Gateway serving LAN B.

I have rolled back to 2.4-33 on Fedora because I can't seem
to get Openswan to run on any version of 2.6 using netkey.
We ran for years with almost no issues using 2.4.18 and
superfreeswan 1.99 on Debian and I used these configs as the
basis for the new build because I thought we where just
upgrading. 

Can Openswan support such a configuration? There are two
seperate routes on the machines one for the lan to lan and
the other for lan to gateway external IP. Both tunnels
negotiate and connect fine but the traffic from LAN A to LAN
B does not flow when the gateway to LAN A tunnel is also up.
When the gateway to LAN tunnel comes down then it seems to
work fine.

On a second note, is there any version of OpenSwan that
works on a current Linux distro with out patching the
kernel? I have been through memory leaks, daemons crashing,
mismatched tunnels and terrrible service trying to use
various version of 2.6 kernel and the openswan tools. I like
Debian but I can certainly use RHEL or even Unbutu if there
is a trouble free build out there, I am quite concerned that
patching 2.6 with klips might cause problems with upgrades
later so if I can stay with a stock kernel that would be a
lot better. 


Thanks in advance, and hopefully someone has an answer so I
don't need to replace everything with Cisco :-(

Doug Leece
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

On Tue, 5 Dec 2006, Douglas Leece wrote:

> I have been a freeswan users for years and never really
had a lot of issues with it, unfortunatly I have found
Openswan to be a bit more difficult to get going. The
Freeswan config I am replacing required a tunnel from LAN A
to LAN B and that was easy to replicate. The problem seems
to come in with the second tunnel that goes from the
external IP of LAN B's gateway to LAN A. We use this second
tunnel to replicate DNS zone data from LAN A to the Gateway
serving LAN B.

What does ipsec verify say? Does it complain about rp_filter
or
redirects that should be changed?

What happens if you add "failureshunt=clear" to
config setup? It's not the
right solution, but it might give us an idea where the
problem is.

> I have rolled back to 2.4-33 on Fedora because I can't
seem to get Openswan to run on any version of 2.6 using
netkey. We ran for years with almost no issues using 2.4.18
and superfreeswan 1.99 on Debian and I used these configs as
the basis for the new build because I thought we where just
upgrading.

Let's hope klips and netkey merge soon.....

> Can Openswan support such a configuration? There are
two seperate routes on the machines one for the lan to lan
and the other for lan to gateway external IP. Both tunnels
negotiate and connect fine but the traffic from LAN A to LAN
B does not flow when the gateway to LAN A tunnel is also up.
When the gateway to LAN tunnel comes down then it seems to
work fine.

It should work.

> On a second note, is there any version of OpenSwan that
works on a current Linux distro with out patching the
kernel? I have been through memory leaks, daemons crashing,
mismatched tunnels and terrrible service trying to use
various version of 2.6 kernel and the openswan tools. I like
Debian but I can certainly use RHEL or even Unbutu if there
is a trouble free build out there, I am quite concerned that
patching 2.6 with klips might cause problems with upgrades
later so if I can stay with a stock kernel that would be a
lot better.

If you have issues with 2.4.7, please let us know so we can
address them.

Paul
-- 
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155