[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IP redirects and IPSec ???
Interesting, but obvious, problem.
Moving from a GRE based VPN to an IPSec one, I have two routers on the same
subnet - for migration mainly.
.1 is the old Cisco and .254 is the new-ish OpenBSD routers. The .254 box
has a catchall route for the 192.168/16 network via .1 - this sweeps up old
traffic and stuff that is not yet ready to migrate.
Traffic from the network hits the .254 router, IPSec picks this up and
routes it over the tunnel, but the IP stack also sends an ICMP redirect back
to the source pointing to .1 - now all future traffic goes from that source
via the old route / router.
What got me was that I was under the impression that ICMP redirects were off
by default. Nope. Because the 'more specific' route is via IPSec and not a
normal IP route, the system thinks that the next hop is via the old router
and not the IPSec SA that is processed later in the chain.
This mail is (a) for the archives and (b) to ask if there is a better (more
dummy proof) solution for the future than being caught by this kidn of
thing - i.e. ICMP redirects being processed 'later' in the routeing process
PS It doesn't help that the Linux 'netstat -rn' command doesn't list host
routes installed by ICMP redirects... but that's someone elses problem.