[Openswan Users] IPSEC Pluto + Allow Unencrypted packets

shobhit shingla coolshobhit7 at gmail.com
Fri Jul 31 01:19:28 EDT 2009


Hi Paul,

Thanks for the reply.

My IPSEC server has 2 IP's , one for WAN side i.e. 61.246.2.100 and other
for LAN side i.e. 192.168.1.1.

Tunnel is created between 2 WAN side IPs.


Also the packet is coming as encrypted but it gets decrypted at FAST path
level of network processor,  so when packet reaches Linux Stack it is
already unencrypted.

Is this unencrypted packet gets dropped as IPSEC expects traffic between
these 2 subnets as encrypted ?


Regards,


Shobhit



On Fri, Jul 31, 2009 at 12:10 AM, Paul Wouters <paul at xelerance.com> wrote:

>  On Thu, 30 Jul 2009, shobhit shingla wrote:
>
> I am using openswan in my network processor.
>> Problem is Network processor performs the decryption in fast path
>> So If the packet is for local IP, decrypted packet is injected into
>> Linux Stack.
>> But I think ipsec is rejecting the decrypted packet in my kernel.
>>
>> this is my scenario
>>                                Linux
>> Machine
>> Network Processor
>>                                193.168.10.1
>> 192.168.1.1
>> 193.168.10.0/24 ------61.246.5.100
>>
>> -------------------------------------------------------------------61.246.2.100--------192.168.1.0/24
>>
>> ipsec.conf on Network processor
>> leftIP = 61.246.2.100
>> leftSubnet = 192.168.1.0/24
>> rightIP = 61.246.5.100
>>  rightSubnet = 193.168.10.0/24
>> ike= 3des-sha1
>> auto = add
>> authby = secret
>>
>> Tunnel is created successfuly
>>
>> If i ping from say 193.168.10.2 to 192.168.1.2 ,all works fine
>>
>> But when i ping to 192.168.1.1 from any right subnet IP, ESP packet is
>> decrypted in fast path,so Linux stack will receive
>> decrypted packet. But somehow that packet is lost.
>>
>
> Is your ipsec server 192.168.1.1? If so, add leftsourceip=192.168.1.1
>
> Is IPSEC rejecting unencrypted packet?
>>
>
> It should not in this case as it came in encrypted according to you. I
> would
> verify that you have the right sysctl settings:
>
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.conf.default.accept_source_route = 0
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090731/f2e15eb0/attachment.html 


More information about the Users mailing list