[Openswan dev] Help needed with Openswan

Sumit Kala sumitk31 at gmail.com
Sat Jun 25 01:39:43 EDT 2011


Hello Fellow Members,

I have been trying to setup IPSEC encryption between two linux boxes.
I have a server application which runs on Linux Box A
and a client application which runs on Linux Box B.

The client sends the data to server.
I have captured wireshark logs at both server and client end.
In the wireshark logs I can see that the Box B send ESP packets to the Box
A.

But the server Application running at Box A is is not able to get any
packets.

If I turn the policy off at Box B, Box B sends normal UDP data packets to
Box A, but still the Server Application running at box A doesn't get any
packets.( Expected behavior since policy at Box A enforces that all packets
coming from Box B should be encrypted.)

If I turn the policy off at Box A and Box B both, the server application
receives the unencrypted data which is also expected behavior.

But when the policy is turned on at both the boxes the encrypted packets
reach the Box A but are not delivered to the server application.

If anyone has faced such issue please help me to debug this issue.

I have attached the ifconfig and policy settings at Box A and Box B for your
reference.


Thanks & Regards,
Sumit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20110625/c7a1b2ce/attachment.html 
-------------- next part --------------
root at 172.16.117.101[/nfs-server]# ifconfig
eth0      Link encap:Ethernet  HWaddr 6C:F0:49:EF:EB:F8
          inet addr:172.16.117.101  Bcast:172.16.117.255  Mask:255.255.255.0
          inet6 addr: fe80::6ef0:49ff:feef:ebf8/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:96630 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16420 errors:0 dropped:0 overruns:0 carrier:1
          collisions:0 txqueuelen:1000
          RX bytes:8833640 (8.4 MiB)  TX bytes:1176900 (1.1 MiB)
          Interrupt:28

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:180 errors:0 dropped:0 overruns:0 frame:0
          TX packets:180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:21685 (21.1 KiB)  TX bytes:21685 (21.1 KiB)

virbr0    Link encap:Ethernet  HWaddr DA:FF:81:14:66:23
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:3869 (3.7 KiB)
-------------- next part --------------
root at 172.16.117.201[/nfs-server]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1E:C9:5C:8D:54
          inet addr:172.16.117.201  Bcast:172.16.255.255  Mask:255.255.0.0
          inet6 addr: fe80::21e:c9ff:fe5c:8d54/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1681828 errors:0 dropped:0 overruns:0 frame:0
          TX packets:640867 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1766878568 (1.6 GiB)  TX bytes:48572009 (46.3 MiB)
          Interrupt:16

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:195283423 errors:0 dropped:0 overruns:0 frame:0
          TX packets:195283423 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1168128985 (1.0 GiB)  TX bytes:1168128985 (1.0 GiB)

virbr0    Link encap:Ethernet  HWaddr 1E:04:6F:97:FE:0C
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:163 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:29115 (28.4 KiB)

-------------- next part --------------
flush;
spdflush;



spdadd 172.16.117.101/24 172.16.117.201/24 any -P out ipsec
      esp/transport//require;

spdadd 172.16.117.201/24 172.16.117.101/24 any -P in ipsec
       esp/transport//require;


add 172.16.117.101 172.16.117.201 esp 0x201
    -E 3des-cbc  0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;

add 172.16.117.201 172.16.117.101 esp 0x301
    -E 3des-cbc  0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

-------------- next part --------------
flush;
spdflush;

# I am gateway A (eth0:192.168.1.130, eth1:200.200.200.10)
#
# Security policies
spdadd 172.16.117.201/24 172.16.117.101/24 any -P out ipsec
       esp/transport//require;

spdadd 172.16.117.101/24 172.16.117.201/24 any -P in ipsec
       esp/transport//require;



add 172.16.117.201 172.16.117.101 esp 0x201
    -E 3des-cbc  0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;

add 172.16.117.101 172.16.117.201 esp 0x301
    -E 3des-cbc  0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;



More information about the Dev mailing list