[Openswan Users] ipsec problem after kernel upgrade from 2.6.8 to 2.6.10

jan svatos rpev at seznam.cz
Wed Apr 19 08:36:39 CEST 2006

 Hallo, I have the following problem. After an upgrade to kernel 2.6.10
 (old kernel was 2.6.8) are ipsec tunnels broken.
 Configuration of ipsec is the same, ipsec tunnels looks good,
 but if I try ping, i doesn't receive reply. The reply packets are lost
 somewhere in kernel now..
 I think, I have found the solution - 
  "Since Linux 2.6.10-rcX. packets from a tunnel-mode SA are dropped if
  no policy exists. You most likely only have an input policy, but no
  forward policy. If you use setkey to configure your policies,
  duplicate the input policy and replace '-P in' with '-P fwd'. If you
  let racoon generate the policy you need to upgrade to the latest
  version. pluto should already get it right." -
 but I don't know, how to do it using openswan..
 Thank you for your help,
 Petr ping
 13 packets transmitted, 0 received, 100% packet loss, time 12013ms
 #eth1 is public interface -
 #everythink looks ok tcpdump -i eth1
 13:48:39.061865 IP >
 13:48:39.062173 IP >
 13:48:39.062173 IP > icmp 64: echo reply seq 1
 13:48:40.061934 IP >
 13:48:40.062217 IP >
 13:48:40.062217 IP > icmp 64: echo reply seq 2
 #I have host-to-host configuration - openswan:
 conn testing_conn
 .. ipsec whack --status
 000 "testing_conn":; erouted; eroute owner:#13
 000 "testing_conn": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
 000 "testing_conn": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
 000 "testing_conn": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+UP; prio: 32,32; interface: eth1;
 000 "testing_conn": newest ISAKMP SA: #10; newest IPsec SA: #13;
 000 "testing_conn": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
 000 #13: "testing_conn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 488s; newest IPSEC; eroute owner
 000 #13: "testing_conn" esp.9957c272 at esp.854cb341 at tun.0 at tun.0 at
 000 #11: "testing_conn":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 186s
 000 #11: "testing_conn" esp.9957c26e at esp.ffa07b82 at tun.0 at tun.0 at
 000 #10: "testing_conn":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2312s; newest ISAKMP; nodpd
 000 #8: "testing_conn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 142s
 000 #8: "testing_conn" esp.9957c26d at esp.84a39351 at tun.0 at tun.0 at
 000 #4: "testing_conn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1751s; nodpd

More information about the Users mailing list