<div>Hi Paul,</div>
<div> </div>
<div>Thanks for the reply.</div>
<div> </div>
<div>My IPSEC server has 2 IP's , one for WAN side i.e. 61.246.2.100 and other for LAN side i.e. 192.168.1.1.</div>
<div> </div>
<div>Tunnel is created between 2 WAN side IPs.</div>
<div> </div>
<div> </div>
<div>Also the packet is coming as encrypted but it gets decrypted at FAST path level of network processor, so when packet reaches Linux Stack it is already unencrypted.</div>
<div> </div>
<div>Is this unencrypted packet gets dropped as IPSEC expects traffic between these 2 subnets as encrypted ?</div>
<div> </div>
<div> </div>
<div>Regards,</div>
<div> </div>
<div> </div>
<div>Shobhit</div>
<div><br><br> </div>
<div class="gmail_quote">On Fri, Jul 31, 2009 at 12:10 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>
<div></div>
<div class="h5">On Thu, 30 Jul 2009, shobhit shingla wrote:<br><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">I am using openswan in my network processor.<br>Problem is Network processor performs the decryption in fast path<br>
So If the packet is for local IP, decrypted packet is injected into Linux Stack.<br>But I think ipsec is rejecting the decrypted packet in my kernel.<br> <br>this is my scenario<br> Linux Machine Network Processor<br>
193.168.10.1 192.168.1.1 <br><a href="http://193.168.10.0/24" target="_blank">193.168.10.0/24</a> ------61.246.5.100<br>-------------------------------------------------------------------61.246.2.100--------192.168.1.0/24<br>
<br>ipsec.conf on Network processor<br>leftIP = 61.246.2.100<br>leftSubnet = <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a><br>rightIP = 61.246.5.100<br> rightSubnet = <a href="http://193.168.10.0/24" target="_blank">193.168.10.0/24</a><br>
ike= 3des-sha1<br>auto = add<br>authby = secret<br> <br>Tunnel is created successfuly<br> <br>If i ping from say 193.168.10.2 to 192.168.1.2 ,all works fine<br> <br>But when i ping to 192.168.1.1 from any right subnet IP, ESP packet is decrypted in fast path,so Linux stack will receive<br>
decrypted packet. But somehow that packet is lost.<br></blockquote><br></div></div>Is your ipsec server 192.168.1.1? If so, add leftsourceip=192.168.1.1
<div class="im"><br><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Is IPSEC rejecting unencrypted packet?<br></blockquote><br></div>It should not in this case as it came in encrypted according to you. I would<br>
verify that you have the right sysctl settings:<br><br>net.ipv4.conf.default.rp_filter = 0<br>net.ipv4.conf.all.send_redirects = 0<br>net.ipv4.conf.default.send_redirects = 0<br>net.ipv4.conf.default.accept_source_route = 0<br>
net.ipv4.conf.all.accept_redirects = 0<br>net.ipv4.conf.default.accept_redirects = 0<br><font color="#888888"><br>Paul </font></blockquote>
<div> </div></div><br>