[Openswan Users] ipsec interfaces

Dan Ferris dan at usrsbin.com
Wed Jan 5 23:51:12 CET 2005 

Hi.

I'm using OpenSWAN on a SuSE 9.2 box that is acting as an IPSEC/L2TP 
gateway for my wireless network.

Everything works great except for one really annoying thing.

There is no ipsec0 interface.  If I do a tcpdump on the ipsec interface, 
it will show the esp traffic coming in and then the decrypted and 
unpackaged traffic that was encapsulated also on eth0.

Here is the configuration:

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        #klipsdebug=all
        #plutodebug="control parsing"
        #plutodebug=all
        # Certificate Revocation List handling
        #crlcheckinterval=600
        #strictcrlpolicy=yes
        # Change rp_filter setting, default = 0 (switch off)
        rp_filter=0
        # Switch on NAT-Traversal (if patch is installed)
        nat_traversal=no
        interfaces="ipsec0=eth0"


conn ipsec-l2tp
        #
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        #
        authby=secret
        pfs=no
        #
        left=10.10.10.1
        #
        # Required for original (non-updated) Windows 2000/XP clients.
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        rightprotoport=17/%any
        #
        # Authorize this connection, and wait for connection from user.
        #
        auto=add
        keyingtries=3
        esp=aes128-sha1,3des-sha1
        ike=aes-sha,3des-sha
        type=transport

Here is my ifconfig output:

dan:~ # ifconfig

eth0      Link encap:Ethernet  HWaddr 00:01:03:67:FF:49 
          inet addr:10.10.10.1  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::201:3ff:fe67:ff49/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28846 errors:0 dropped:0 overruns:1 frame:0
          TX packets:30664 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5214628 (4.9 Mb)  TX bytes:15304208 (14.5 Mb)
          Interrupt:9 Base address:0xec80

eth1      Link encap:Ethernet  HWaddr 00:B0:D0:7C:92:80 
          inet addr:192.168.253.2  Bcast:192.168.253.255  Mask:255.255.255.0
          inet6 addr: fe80::2b0:d0ff:fe7c:9280/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:37626 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30522 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:23777050 (22.6 Mb)  TX bytes:3694242 (3.5 Mb)
          Interrupt:10 Base address:0xe880

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:379 errors:0 dropped:0 overruns:0 frame:0
          TX packets:379 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:23840 (23.2 Kb)  TX bytes:23840 (23.2 Kb)

ppp0      Link encap:Point-to-Point Protocol 
          inet addr:10.10.10.4  P-t-P:10.10.10.10  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1200  Metric:1
          RX packets:613 errors:0 dropped:0 overruns:0 frame:0
          TX packets:625 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:68564 (66.9 Kb)  TX bytes:318082 (310.6 Kb)

tcpdump info:

dan:~ # tcpdump -ni eth0

10.10.10.1 is the IPSec box.  10.10.10.253 is the Powerboox with the 
L2TP/IPSec client.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
23:49:09.867904 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x385)
23:49:10.011937 IP 10.10.10.253 > 10.10.10.1: ESP(spi=0x6b0bdfc2,seq=0x339)
23:49:10.011937 IP truncated-ip - 23 bytes missing! 10.10.10.253.27403 > 
10.10.10.1.57282: UDP, length: 17656
23:49:10.012938 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x386)
23:49:10.013302 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x387)
23:49:10.013589 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x388)
23:49:10.212326 IP 10.10.10.253 > 10.10.10.1: ESP(spi=0x6b0bdfc2,seq=0x33a)
23:49:10.212326 IP truncated-ip - 23 bytes missing! 10.10.10.253.27403 > 
10.10.10.1.57282: UDP, length: 17656
23:49:10.213013 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x389)
23:49:10.213393 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x38a)
23:49:10.213723 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x38b)
23:49:10.214078 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x38c)
23:49:10.412739 IP 10.10.10.253 > 10.10.10.1: ESP(spi=0x6b0bdfc2,seq=0x33b)
23:49:10.412739 IP truncated-ip - 23 bytes missing! 10.10.10.253.27403 > 
10.10.10.1.57282: UDP, length: 17656
23:49:10.413854 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x38d)
23:49:10.414216 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x38e)
23:49:10.414507 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x38f)
23:49:10.414783 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x390)
23:49:10.415088 IP 10.10.10.1 > 10.10.10.253: ESP(spi=0x0760b878,seq=0x391)
23:49:10.612931 IP 10.10.10.253 > 10.10.10.1: ESP(spi=0x6b0bdfc2,seq=0x33c)
23:49:10.612931 IP truncated-ip - 23 bytes missing! 10.10.10.253.27403 > 
10.10.10.1.57282: UDP, length: 17656

Is this a new feature that is undocumented?  I've read all the 
documentation I can get my hands on.

Thanks,

Dan

More information about the Users mailing list