[Openswan Users]
ipsec problem after kernel upgrade from 2.6.8 to 2.6.10
jan svatos
rpev at seznam.cz
Wed Apr 19 08:36:39 CEST 2006
Hallo, I have the following problem. After an upgrade to kernel 2.6.10
(old kernel was 2.6.8) are ipsec tunnels broken.
Configuration of ipsec is the same, ipsec tunnels looks good,
but if I try ping, i doesn't receive reply. The reply packets are lost
somewhere in kernel now..
I think, I have found the solution -
"Since Linux 2.6.10-rcX. packets from a tunnel-mode SA are dropped if
no policy exists. You most likely only have an input policy, but no
forward policy. If you use setkey to configure your policies,
duplicate the input policy and replace '-P in' with '-P fwd'. If you
let racoon generate the policy you need to upgrade to the latest
version. pluto should already get it right." -
but I don't know, how to do it using openswan..
Thank you for your help,
Petr
111.111.111.111# ping 222.222.222.222
13 packets transmitted, 0 received, 100% packet loss, time 12013ms
#eth1 is public interface - 111.111.111.111
#everythink looks ok
111.111.111.111# tcpdump -i eth1
13:48:39.061865 IP 111.111.111.111 > 222.222.222.222:
ESP(spi=0x9957c26e,seq=0x1)
13:48:39.062173 IP 222.222.222.222 > 111.111.111.111:
ESP(spi=0xffa07b82,seq=0x1)
13:48:39.062173 IP 222.222.222.222 > 111.111.111.111: icmp 64: echo reply seq 1
13:48:40.061934 IP 111.111.111.111 > 222.222.222.222:
ESP(spi=0x9957c26e,seq=0x2)
13:48:40.062217 IP 222.222.222.222 > 111.111.111.111:
ESP(spi=0xffa07b82,seq=0x2)
13:48:40.062217 IP 222.222.222.222 > 111.111.111.111: icmp 64: echo reply seq 2
#I have host-to-host configuration - openswan:
#ipsec.conf:
..
conn testing_conn
keyingtries=0
authby=secret
left=111.111.111.111
right=222.222.222.222
auto=start
auth=esp
disablearrivalcheck=yes
rekey=yes
compress=no
keylife=20m
..
111.111.111.111# ipsec whack --status
.....
000 "testing_conn": 111.111.111.111...222.222.222.222; erouted; eroute owner:#13
000 "testing_conn": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "testing_conn": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "testing_conn": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+UP; prio: 32,32; interface: eth1;
000 "testing_conn": newest ISAKMP SA: #10; newest IPsec SA: #13;
000 "testing_conn": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
.....
000 #13: "testing_conn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 488s; newest IPSEC; eroute owner
000 #13: "testing_conn" esp.9957c272 at 222.222.222.222 esp.854cb341 at 111.111.111.111 tun.0 at 222.222.222.222 tun.0 at 111.111.111.111
000 #11: "testing_conn":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 186s
000 #11: "testing_conn" esp.9957c26e at 222.222.222.222 esp.ffa07b82 at 111.111.111.111 tun.0 at 222.222.222.222 tun.0 at 111.111.111.111
000 #10: "testing_conn":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2312s; newest ISAKMP; nodpd
000 #8: "testing_conn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 142s
000 #8: "testing_conn" esp.9957c26d at 222.222.222.222 esp.84a39351 at 111.111.111.111 tun.0 at 222.222.222.222 tun.0 at 111.111.111.111
000 #4: "testing_conn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1751s; nodpd
More information about the Users
mailing list