[Openswan Users] Question distinguishing traffic using protoport
Phillip Reeves
preeves1 at gmail.com
Sat Feb 21 16:29:39 EST 2009
Paul,
Thanks for the reply. I attempted to use the %any before and I have always
received an error when attempting to bring a connection up. I just tried
modifying my allow-ssh connection and this is what happens...
root at oswan2 etc]# ipsec auto --up allow-ssh
031 "allow-ssh": cannot initiate connection with ID wildcards
(kind=CK_TEMPLATE)
but if I change it back to /0 the vpn establishes.
I brought up allow-ssh and did the ip xfrm commands
oswan1 is .216
oswan2 is .217
*[root at oswan2 etc]# ip xfrm policy*
src 192.168.100.216/32 dst 192.168.100.217/32 proto tcp
dir in priority 2080
tmpl src 192.168.100.216 dst 192.168.100.217
proto esp reqid 16385 mode tunnel
src 192.168.100.217/32 dst 192.168.100.216/32 proto tcp
dir out priority 2080
tmpl src 192.168.100.217 dst 192.168.100.216
proto esp reqid 16385 mode tunnel
src 192.168.100.216/32 dst 192.168.100.217/32 proto tcp
dir fwd priority 2080
tmpl src 192.168.100.216 dst 192.168.100.217
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
*[root at oswan2 etc]# ip xfrm state*
src 192.168.100.216 dst 192.168.100.217
proto esp spi 0x7fdd92ef reqid 16385 mode tunnel
replay-window 32
auth hmac(sha1) 0x4cac01e0d24621e98ccab2e98708a7695f6ec18d
enc cbc(des3_ede) 0x33b86f0df54893ba274223c2f49d0abf195036468c3b9f52
src 192.168.100.217 dst 192.168.100.216
proto esp spi 0x9c8fe2ce reqid 16385 mode tunnel
replay-window 32
auth hmac(sha1) 0xaa044f5d1539a7f37f40d56d3298b5f0a6150e94
enc cbc(des3_ede) 0x474d49c0ec4811fb60b639e3d26b68e01eac01135a4b066c
also when I run *ipsec auto --status* for this connection I see
000 "allow-ssh":
192.168.100.217<192.168.100.217>[@oswan2,+S=C]:6/22...192.168.100.216<192.168.100.216>[@oswan1,+S=C]:6/0;
erouted; eroute owner: #2
Maybe this info will help.
Phillip
On Sat, Feb 21, 2009 at 2:45 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Sat, 21 Feb 2009, Phillip Reeves wrote:
>
> I would like be able to have traffic using specific ports to use different
>> SA's similar to this post:
>>
>> https://lists.strongswan.org/pipermail/users/2008-October/002854.html
>>
>> I have two boxes running rhel 5.2 and openswan 2.6.20 in a private lab
>> using netkey protostack. Similar to the post above I would like to
>> have traffic using tcp/22 use a set of SA's and tcp/23 use a set of SA's.
>>
>> Below is part of my ipsec.conf file to get this working
>>
>> conn allow-sshyeah
>> phase2alg=null-sha1-96
>> leftprotoport=6/22
>> rightprotoport=6/0
>> also=vpn-test
>>
>> conn allow-telnet
>> phase2alg=3des-sha1-96
>> leftprotoport=6/23
>> rightprotoport=6/0
>> also=vpn-test
>>
>
> No matter what we try when attempting to distinguish traffic of the same
>> protocol (wether udp or tcp), the traffic ends up using the same
>> set of SA's. However, I can get the traffic to use different SA's if I
>> breakup the traffic using ICMP, TCP and UDP rules in my ipsec.conf
>> file as below...
>>
>
> Can you check with xfrm show policy and xfrm show state to see if the
> policies
> are right and the kernel is wrong, or whether the policy is wrong and the
> kernel
> is right?
>
> Also, instead of /0 what happens if you use /%any
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090221/285499fd/attachment-0001.html
More information about the Users
mailing list