LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-17-2017, 11:10 PM   #1
sloppytypist
LQ Newbie
 
Registered: Dec 2016
Posts: 13

Rep: Reputation: Disabled
IP rule help -cant exempt directly connected routes from VPN 0.0.0.0/0


Hi,

I've having issues with linux policy routing. I've got two possible default routes. One is whichever interface gets DHCP for WAN and the other is a Strongswan VTI. I want all traffic to go out the VTI except a couple IPs and directly connected routes. I've been able to do this for the public IPs I want to exempt, the problem is when I do it, the rule supersedes the directly connected interfaces which get DHCP for WAN connections. The routes on the directly connected interfaces will change(as will the default next hop), so I can't define statically with a route statement.

Here are my rules:

0: from all lookup local
220: from all lookup 220
1000: from all to 8.8.8.8 lookup main
1001: from all to 4.2.2.1 lookup main
1500: from all lookup vpn-routes
32766: from all lookup main
32767: from all lookup default

~# ip route sho tab vpn-routes
default via 172.21.0.1 dev vti1

~# ip route sho tab main
default via 192.168.10.2 dev eth0 proto static src 192.168.10.129 # This is DHCP and will change
10.100.0.0/24 dev eth1 proto kernel scope link src 10.100.0.114
10.100.0.1 dev eth1 proto static scope link src 10.100.0.114
172.21.0.0/23 dev vti1 scope link
172.30.5.45 via 192.168.68.1 dev tap0
172.30.5.83 via 192.168.68.1 dev tap0
172.30.5.166 via 192.168.68.1 dev tap0
172.30.5.200 via 192.168.68.1 dev tap0
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.129
192.168.10.2 dev eth0 proto static scope link src 192.168.10.129
192.168.68.0/23 dev tap0 proto kernel scope link src 192.168.68.7
192.168.204.0/24 dev eth2 proto kernel scope link src 192.168.204.129 # This is DHCP and will change

I'm new to policy routing on linux, any thoughts would be appreciated. Thanks.

CB
 
Old 03-23-2017, 03:38 PM   #2
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,838

Rep: Reputation: 160Reputation: 160
What's your Linux distribution, Fedora or something else?
 
Old 03-23-2017, 04:25 PM   #3
sloppytypist
LQ Newbie
 
Registered: Dec 2016
Posts: 13

Original Poster
Rep: Reputation: Disabled
OpenWRT, but will also be using Ubuntu.
 
Old 03-27-2017, 04:09 PM   #4
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,838

Rep: Reputation: 160Reputation: 160
You can used nogateway option in the /etc/dhcpcd.conf for WAN interface. So eth0-specific or WAN configuration started looking like that:

interface eth0 -- assume it is WAN

static ip_address=192.168.2.2/24
static routers=192.168.2.1
static domain_name_servers=192.168.2.1
nogateway
 
Old 03-27-2017, 04:18 PM   #5
sloppytypist
LQ Newbie
 
Registered: Dec 2016
Posts: 13

Original Poster
Rep: Reputation: Disabled
I dont see how that fixes the problem. The primary wan can't cease being a gateway. In fact initially it is needed. I need a few addresses to connect outside the tunnel, one being the tunnel peer address. But the tunnel needs a gateway to initiate the tunnel. There are no static IPs. The WAN is DHCP. Maybe I just dont follow what you are saying. Perhaps explain further? I mean pretty please.
 
Old 03-29-2017, 04:05 PM   #6
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,838

Rep: Reputation: 160Reputation: 160
I assume your issue is that default gateway got on WAN DHCP change your configuration. So my suggestion is that using nogateway option on WAN DHCP ignore the gateway configuration, always keep your configuration.
 
Old 03-29-2017, 04:38 PM   #7
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,331

Rep: Reputation: Disabled
If your problem is that you're no longer able to communicate with hosts on connected networks once a StrongSwan VPN tunnel with a 0.0.0.0/0 "right" network definition is activated, then I'm afraid it's a policy issue.

I'm seeing the exact same behaviour with a router running OpenWRT. If I use 0.0.0.0/0 as the remote network, StrongSwan will happily add a transform policy for all IP traffic, meaning the local LAN instantly becomes unreachable.

Unfortunately, "installpolicy=no" cannot always be used as a workaround, as there may not be a way to add the correct policies manually. For instance, the ip command in OpenWRT just doesn't support the "xfrm" option, although it's listed in the help text. It should work on Ubuntu, though, so you could have StrongSwan call a script to add/remove the relevant transform policies whenever the tunnel is activated and deactivated.

Every other IPsec implementation I've encountered makes sure connected networks are exempt from IPsec ESP tunnels. Tunnels to remote networks defined as 0.0.0.0/0 work fine on Cisco/D-Link/ZyXEL gear, so I consider this a bug in StrongSwan.

Last edited by Ser Olmy; 03-29-2017 at 04:43 PM.
 
Old 03-29-2017, 09:59 PM   #8
lsalab
LQ Newbie
 
Registered: Jan 2009
Posts: 24

Rep: Reputation: 3
If you are using OpenWRT, perhaps you should take a look at the 'multiwan' package. You can configure the default gateway and specific set of rules to redirect traffic under certain conditions you can specify.

Check it out:

https://wiki.openwrt.org/doc/uci/multiwan

I hope it helps!
 
Old 03-30-2017, 05:21 PM   #9
sloppytypist
LQ Newbie
 
Registered: Dec 2016
Posts: 13

Original Poster
Rep: Reputation: Disabled
Nini09. No that's not the issue. The issue is when I install an ip rule it supersedes directly connected interfaces, which is a little crazy IMO. This is not done via DHCP

Ser Olmy. Your closer. It in fact does not install policies. VTIs don't use policies in that way as I understand. There is nothing in iptables or ip route table 220. It's all controlled via routing tables and the associated ip rules. The reason I say this is before I install the ip rule and corresponding table, it works perfectly.

lsalab, Good idea! Unfortunately I will be using other distros as well.


I could also shell script it, but I would strongly prefer to use the built in linux PBR. Also it just doesn't seem right that adding a default route would take precedence over directly connected network with a way around it.
 
Old 03-30-2017, 11:15 PM   #10
lsalab
LQ Newbie
 
Registered: Jan 2009
Posts: 24

Rep: Reputation: 3
In that case, you could try to create different routing tables and specify manually which table should linux use depending on the conditions you set. Take a look at iproute2, here's a good resource on getting this thing going:

http://baturin.org/docs/iproute2/

You can create two different routing tables with different default gateway and specify a table to use with 'ip rule' uder certain conditions.

Take special consideration to the 'Policy-Based Routing' section.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apply routes when connecting to VPN BeaverusIV Linux - Networking 4 03-11-2013 04:00 PM
help with iptables and samba on directly connected network konkura Linux - Security 1 01-30-2013 03:44 AM
UBUNTU does not see directly connected HP 4 printer schmitta Linux - Newbie 5 12-02-2011 02:31 PM
VPN pptpd connected vpn server only access need help please u4david Linux - Networking 1 10-17-2008 04:54 PM
Routes, iptables and vpn midof Linux - Security 1 06-23-2005 07:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration