[Openswan Users] Wrap (tunnel) IP packets into IPsec packets with different src/dst address

Jianqing Zhang arrow.jianqing at gmail.com
Sat Feb 7 15:14:13 EST 2009 

I'm using "ip xfrm policy" and "ip xfrm state" to configure an IPsec
tunnel manually. My goal is to have the sender wrap IP packets with a
different source address which is known to all hosts on the LAN, say
192.168.1.224, and a multicast destination address say 224.0.0.4.  For
example, suppose the two hosts' ip addresses are 192.168.1.20 and
192.168.1.21, can I get the following configuration work?

-------------------SPs on 192.168.1.20---------------------
src 192.168.1.0/24 dst 224.0.0.4/32
	dir in priority 2080 ptype main
	tmpl src 192.168.1.224 dst 224.0.0.4
		proto esp reqid 10599 mode tunnel
src 192.168.1.20/32 dst 224.0.0.4/32
	dir out priority 2080 ptype main
	tmpl src 192.168.1.224 dst 224.0.0.4
		proto esp reqid 10199 mode tunnel

-------------------SAs on 192.168.1.20---------------------
src 192.168.1.224 dst 224.0.0.4
	proto esp spi 0x43005999 reqid 10599 mode tunnel
	replay-window 32
	auth hmac(sha1) 0x0d18bacbe9bc71754315429ad68363a329364393
	enc cbc(aes) 0x689f2d7fe734678adeac2f27b48b67af
	sel src 0.0.0.0/0 dst 0.0.0.0/0
src 192.168.1.224 dst 224.0.0.4
	proto esp spi 0x43001999 reqid 10199 mode tunnel
	replay-window 32
	auth hmac(sha1) 0x470b8df161ce85b0ecf870540a78929a8cd9b953
	enc cbc(aes) 0xfbd25327d46ca4714bda3dedc80e8b86
	sel src 0.0.0.0/0 dst 0.0.0.0/0

-------------------SPs on 192.168.1.21---------------------

src 192.168.1.0/24 dst 224.0.0.4/32
        dir in priority 2080 ptype main
        tmpl src 192.168.1.224 dst 224.0.0.4
                proto esp reqid 10199 mode tunnel
src 192.168.1.21/32 dst 224.0.0.4/32 proto
        dir out priority 2080 ptype main
        tmpl src 192.168.1.224 dst 224.0.0.4
                proto esp reqid 10599 mode tunnel

------------------ SAs on 192.168.1.21 ------------------
src 192.168.1.224 dst 224.0.0.4
        proto esp spi 0x43005999 reqid 10599 mode tunnel
        replay-window 32
        auth hmac(sha1) 0x0d18bacbe9bc71754315429ad68363a329364393
        enc cbc(aes) 0x689f2d7fe734678adeac2f27b48b67af
        sel src 0.0.0.0/0 dst 0.0.0.0/0
src 192.168.1.224 dst 224.0.0.4
        proto esp spi 0x43001999 reqid 10199 mode tunnel
        replay-window 32
        auth hmac(sha1) 0x470b8df161ce85b0ecf870540a78929a8cd9b953
        enc cbc(aes) 0xfbd25327d46ca4714bda3dedc80e8b86
        sel src 0.0.0.0/0 dst 0.0.0.0/0

Thanks!

More information about the Users mailing list