[Openswan Users] Encapsulate IP packets using source address different from local host's IP address

Jianqing Zhang arrow.jianqing at gmail.com
Tue Feb 17 22:59:12 EST 2009

But the source IP of SA is still the local (real) one, isn't it? Is it
possible to use a "someip" in SA?
I have another question, if I configure both SPs and iptables, when an
IP packet is going out which will process the packet first? SP or
iptables (netfilters) rules?

On Tue, Feb 17, 2009 at 4:56 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Tue, 17 Feb 2009, Jianqing Zhang wrote:
>> I configure SPs ans SAs using "ip xfrm policy" and "ip xfrm state" for
>> outgoing IP packets on My purpose is to use SA whose
>> source IP is different from the local host.
>> SP:
>> src dst proto udp dport 5002
>> dir out priority 2080 ptype main
>> tmpl src dst
>> proto esp reqid 10199 mode tunnel
>> SA:
>> src dst
>> proto esp spi 0x43001999 reqid 10199 mode tunnel
>> replay-window 32
>> auth hmac(sha1) 0x470b8df161ce85b0ecf870540a78929a8cd9b953
>> enc cbc(aes) 0xfbd25327d46ca4714bda3dedc80e8b86
>> sel src dst proto udp dport 5002
>> However, when I try to send a UDP packet, I get the following error
>> message:
> Use IKE and autmatic keying, instead of manual keying. You
> can use leftsubnet=someip/32 if it differs from your real ip.
> Paul

More information about the Users mailing list