Hi Michael,<div> I want to encrypt all the traffic that is going via my system(Router). Suppose if a traffic is coming for a destination IP for which there is no tunnel exists, I need to block it(Plain traffic should not go via my router). The reason behind adding pass through connection is that , my system should not block AH/ESP/UDP encapsulated traffic for a destination irrespective of tunnel configurations. </div>
<div><br></div><div>If i remove drop declaration above, its get loaded. But I cant use iptables for drop, because iptables rule hit before ipsec processing starts, which will not fulfill not requirements .Hope you understand my situation. </div>
<div><br><div class="gmail_quote">On Mon, Nov 21, 2011 at 8:17 AM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
This sounds like an old problem I patched ages ago. What version of<br>
Openswan are you running?<br>
<br>
On Mon, 2011-11-21 at 20:24 +0530, SaRaVanAn wrote:<br>
> Hi all,<br>
> I want to add below three SPD rules.<br>
><br>
> source destination protocol action<br>
> 1)<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 172.31.114.239 any ipsec<br>
> 2)<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> ah/esp none<br>
> 3)<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> any discard.<br>
<br>
Not sure what you're trying to do with those policies but the discard<br>
one gives me the impression that you're trying to use the policy<br>
database as if it were a firewall.<br>
<br>
> I tried by adding these rules using openswan. Only two rules are getting<br>
> added in Security policy database, the pass through rule is not<br>
> added(verified using setkey tool).<br>
> Please find my ipsec.conf below<br>
><br>
><br>
> config setup<br>
> protostack=netkey<br>
> nat_traversal=yes<br>
> virtual_private=<br>
> oe=off<br>
> nhelpers=0<br>
> interfaces=%defaultroute<br>
><br>
> conn west-east<br>
> left=172.31.114.245<br>
> right=172.31.114.239<br>
> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> keyexchange=ike<br>
> auto=add<br>
> auth=esp<br>
> authby=secret<br>
> pfs=no<br>
> keylife=120m<br>
> rekey=yes<br>
> ikelifetime=240m<br>
> keyingtries=0<br>
><br>
> conn drop<br>
> left=172.31.114.245<br>
> right=172.31.114.239<br>
> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> type=drop<br>
> authby=never<br>
> auto=route<br>
><br>
> conn passthrough<br>
> left=172.31.114.245<br>
> leftprotoport=ah<br>
> right=172.31.114.239<br>
> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
Not quite sure what you are trying to do with that subnet declaration<br>
but it seems like this declaration directly conflicts with the drop<br>
declaration above. I'm not sure what it's going to do when it gets two<br>
configuration specifications for basically the same ordered set of<br>
source and destination address and source and destination subnet but<br>
something tells me it's not going to do what you expect it to and it my<br>
not be allowing it.<br>
<br>
What happens if you remove the "drop" declaration above and retry it?<br>
Does the bypass declaration get loaded then? Maybe you should be using<br>
iptables for that drop above?<br>
<br>
> type=passthrough<br>
> authby=never<br>
> auto=route<br>
<br>
> Please correct me if my configuration is wrong. It would be great, if you<br>
> help me out on this.<br>
><br>
><br>
> Regards,<br>
> Saravanan N<br>
><br>
> _______________________________________________<br>
> <a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
> <a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
> Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
> Building and Integrating Virtual Private Networks with Openswan:<br>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<font color="#888888"><br>
--<br>
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | (678) 463-0932 | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
</font></blockquote></div><br></div>