[Openswan Users] Encapsulate IP packets using source address different from local host's IP address
Jianqing Zhang
arrow.jianqing at gmail.com
Tue Feb 17 22:59:12 EST 2009
But the source IP of SA is still the local (real) one, isn't it? Is it
possible to use a "someip" in SA?
I have another question, if I configure both SPs and iptables, when an
IP packet is going out which will process the packet first? SP or
iptables (netfilters) rules?
On Tue, Feb 17, 2009 at 4:56 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Tue, 17 Feb 2009, Jianqing Zhang wrote:
>
>> I configure SPs ans SAs using "ip xfrm policy" and "ip xfrm state" for
>> outgoing IP packets on 192.168.1.20. My purpose is to use SA whose
>> source IP is different from the local host.
>>
>> SP:
>> src 192.168.1.20/32 dst 224.0.0.4/32 proto udp dport 5002
>> dir out priority 2080 ptype main
>> tmpl src 192.168.1.254 dst 224.0.0.4
>> proto esp reqid 10199 mode tunnel
>>
>> SA:
>> src 192.168.1.254 dst 224.0.0.4
>> proto esp spi 0x43001999 reqid 10199 mode tunnel
>> replay-window 32
>> auth hmac(sha1) 0x470b8df161ce85b0ecf870540a78929a8cd9b953
>> enc cbc(aes) 0xfbd25327d46ca4714bda3dedc80e8b86
>> sel src 0.0.0.0/0 dst 0.0.0.0/0 proto udp dport 5002
>>
>> However, when I try to send a UDP packet, I get the following error
>> message:
>
> Use IKE and autmatic keying, instead of manual keying. You
> can use leftsubnet=someip/32 if it differs from your real ip.
>
> Paul
>
More information about the Users
mailing list