Routing differencies between 2.4 and 2.6 kernels

Hi,

I have a Linux gateway using kernel 2.4.25, running
FreeSWAN 2.06 and OpenVPN 2.0. The gateway has
one public IP on eth0, one private IP on eth1 and is
through ipsec0(eth0) interface building three IPSEC
tunnels to our corporate private network. OpenVPN
uses the tun0 interface for road warriors. The gateway is
firewalled by iptables because it provides internet
access for the private network on eth1 and the
OpenVPN road warriors. NAT is enabled for traffic to
internet and for traffic from the OpenVPN subnet which
is not known by any corporate router.

eth0 Public internet
eth1 10.200.1.0/24 private network
ipsec0 10.0.0.0/8 corporate network
ipsec0 10.200.2.0/24 corporate network
ipsec0 10.200.3.0/24 corporate network
tun0 10.200.100.0/24 OpenVPN network

I don't have to worry at all because at present this
scenario works well, but personal curiosity and desire to
stay up to date with latest developments has made me
started experimenting with various versions of 2.6
kernels together with FreeSWAN but also OpenSWAN
2.3.0/2.3.1. However, so far I have not had complete
success running ipsec and OpenVPN simultaneously.

When testing I have disabled the firewall apart from
NAT.
ipsec0 interface is removed from all scripts when using
2.6 kernels.
All ip_forward flags in kernel are set to 1.
With only OpenVPN running, road warriors can access
private network on eth1 as well as internet on eth0.
Starting ipsec service will for some reason block road
warriors from the private network and corporate private
network, but they can reach the public internet.
Apart from the ipsec0 interface the output from
commands route and ip route looks similar for the 2.4
and 2.6 kernels.

When ipsec is running with kernel 2.6 almost everything
seems normal between the private and the corporate
networks. I say almost because I have discovered a
funny replication and mail routing problem between
Lotus Domino servers, this will be the next problem to
solve before trashing 2.4.

Can anyone give a clue or tell me the reason why
routing does not work between OpenVPN clients and
any of the private 10.x.x.x networks on kernel 2.6?

Many thanks in advance
brgds
Ole M.

first of all stop using IPSec too much insecure, you are putting your
whole system at risk using such a unrealiable protocol as IPSec.

Second you must check your OpenVPN compilation, are you using iproute2
to establish routes or not?.

Third, Stop using IPSec, keep using TLS/SSL vpn solutions.

4th. - your openvpn uses the -server setting, do you have a pool of
addresses with a 31bit netmask? are u using sit (ipv6) tunnels?

"Mr. Boy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> first of all stop using IPSec too much insecure, you are putting your
> whole system at risk using such a unrealiable protocol as IPSec.

I totally agree, IPSec is a mess, however this is a corporate decision made
far over my head.

> Second you must check your OpenVPN compilation, are you using iproute2
> to establish routes or not?.

No, I am currently not using iproute2. Is that necessary under a 2.6 kernel?
Everything works well now using 2.4 kernel.
>
> Third, Stop using IPSec, keep using TLS/SSL vpn solutions.

Agree, and I hope the rest will follow soon!
>
> 4th. - your openvpn uses the -server setting, do you have a pool of
> addresses with a 31bit netmask? are u using sit (ipv6) tunnels?

The server assigns 31-bits subnets to the road warriors. It also pushes all
dhcp-options and routing to clients.

I could post the .conf files for IPSec and OpenVPN, but again this works OK
under 2.4, so I believe there is a fundamental difference in how the kernels
react. I have posted this request on both OpenSWAN and OpenVPN mailing
lists, but no one there has a clue so far.

Thanks

Ole M.