[Openswan Users] Openswan: ip xfrm policy shows different data than /etc/ipsec.conf

Paul Wouters paul at xelerance.com
Thu Jan 31 06:14:14 EST 2008


On Thu, 31 Jan 2008, Ian Brown wrote:

>         type=tunnel
> 	auth=esp
>
>         type=tunnel
> 	auth=ah

> As you can see, the only different besides the connection name is the auth type
> (esp in the first and ah in the second) and the ip of the right side.
>
> After I start the ipsec service, I run:
>
> ip xfrm policy show
> and I get:
>
> src 10.0.0.1/32 dst 10.1.0.3/32
>         dir out priority 2080 ptype main
>         tmpl src 0.0.0.0 dst 0.0.0.0
>                 proto esp reqid 0 mode transport
> src 10.0.0.1/32 dst 10.1.0.2/32
>         dir out priority 2080 ptype main
>         tmpl src 0.0.0.0 dst 0.0.0.0
>                 proto esp reqid 0 mode transport
> src ::/0 dst ::/0
>         dir in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
>         dir in priority 0 ptype main
> ...
> ...
> ...
>
> My question is : why do we see "proto esp" in both policies, whereas
> I have "auth=ah" in the second ?
> Why do wee see "mode transport" in both "tmpl" (template) lines of these
> two policies, whereas I have "type=tunnel" in both connections in this
> /etc/ipsec.conf
> file ?

I know the "transport" issue happened with earlier openswan's. Can you
try and build 2.4.11 (there is a spec file in packaging/fedora/ to build
rpms)

AH mode (as well as manual keying) are not very well tested or maintained,
because no one (including the developers) ever use these modes.

Paul


More information about the Users mailing list