[Openswan Users] Kernel 2.6 and ipsec0 - Where is interface ?

Paul Hampson Paul.Hampson at PObox.com
Fri Jun 24 00:52:17 CEST 2005


On Thu, Jun 23, 2005 at 08:36:13AM -0300, davi at jvsinfo.com.br wrote:
> Hello people !!

> Recently i migrate freeswan + kernel 2.4 to openswan + kernel 2.6. In my 
> setup i need to use ipsec0 for propler routing, but when i configure 
> openwan, i got the tunnel but not see this interface (ipsec0). Where is 
> she ? what is wrong ? This interface will not exist because k 2.6 are 
> native ipsec ?

The native linux 2.6 ipsec stack doesn't have ipsec0, instead the
packets pass through iptables twice, once for the ipsec-encapsulated
packet, and once after deencapsulation.

Your choices are either compiling KLIPS for 2.6 (which I think is
still experimental?) or used the policy database to control what
gets through to the network stack, with either iproute2 or setkey.

For example, here's the script I use on my wlan ipsec link:
#! /bin/sh
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto udp sport 67 dport 67 dir in priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto udp sport 500 dport 500 dir in priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto icmp dir in priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 dir in action block priority 50000

ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 proto udp sport 67 dport 67 dir out priority 10000
ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 proto udp sport 500 dport 500 dir out priority 10000
ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 proto icmp dir out priority 10000
ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 dir out action block priority 50000

ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto udp sport 67 dport 67 dir fwd priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto udp sport 500 dport 500 dir fwd priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 dir fwd action block priority 50000

It basically enables input, output and transition for port 67 (DHCP) port 500
(pluto) and ICMP, and drops everything else. When you connect to pluto and
negotiate ipsec, it adds to the above rules to allow your IPsec'd connection to
come in, which is why there's no ipsec policy above.

This means iptables is completely unaware of any ipsec in use. I like this
interface myself, others prefer having an ipsec0 device and using iptables.

Anyway, I hope that helps your transition to kernel 2.6, no matter which
ipsec stack you choose.

-- 
Paul "TBBle" Hampson, on an alternate email client.


More information about the Users mailing list