Subject: local address and VPN
To: None <>
From: Emmanuel Dreyfus <>
List: tech-net
Date: 11/01/2004 23:58:34

I have some trouble with an IPsec VPN setup for the road warrior case:

road -------- default gw ----- internet ----- VPN gw ---->

My problem occurs on the road warrior. I have the following addresses:
INTERNAL_ADDR: the internal address. The packets going out of the tunnel
at VPN gw should have this IP as the source address
LOCAL_ADDR: the road warrior external address.
REMOTE_ADDR: the VPN gw address
DEFAULT_GW: the default gw address 

Here is my setup, done after the phase 1 SA is established:

ifconfig lo0 alias ${INTERNAL_ADDR}
route delete default
route add ${REMOTE_ADDR} ${DEFAULT_GW}
route add default ${INTERNAL_ADDR}
echo "
spdadd ${INTERNAL_ADDR}/32 any -P out ipsec
spdadd ${INTERNAL_ADDR}/32 any -P in ipsec
"|setkey -c

At that time, sending a ping to the private server causes the phase 2 SA
to be established, and the ping works. 

But when I use telnet or nslookup on the road warrior, the traffic gets
dropped by the local machine. I added a few printf in the kernel and
discovered that for privilegied sockets, the source address is
${INTERNAL_ADDR}, but for unprivilegied sockets, it is ${LOCAL_ADDR}.
Because ${LOCAL_ADDR} does not match any SPD, packets get dropped.

1) is it something normal to get a different default local address for
privilegied and unprivilegied sockets?
2) is there a way to influence the default local address? I'd like to
force all communications to use the internal address.
3) Is my setup wrong? How should it be done?  

Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.