[Openswan Users] Misdirected packets and setkey Invalid directions

John A. Sullivan III jsullivan at opensourcedevel.com
Tue Nov 3 15:36:46 EST 2009 

On Fri, 2009-10-30 at 23:36 -0400, Paul Wouters wrote:
> On Fri, 30 Oct 2009, John A. Sullivan III wrote:
> 
> > Hello, all.  Every once in a while, our monitoring system is throwing
> > false outages for some of the devices on the other side of our OpenSWAN
> 
> Please do not use the spelling "OpenSWAN", since "swan" is a registered
> trademark from some third party. The name is "Openswan" or "openswan".
> 
> > I ran a setkey -aPD just to see what it would tell me and I saw a number
> > of these:
> >
> > (per-socket policy)
> >        Policy:[Invalid direciton]
> 
> Don't use setkey. Remove ipsec-tools. Use "ip xfrm state" and "ip xfrm policy"
> instead.
> 
> > The last used times have a very loose but not definite correlation to
> > the misdirected packets.  What are these per-socket policies? Is it a
> > problem that they say Invalid direciton (sic.)?
> 
> They might be "state" objects (versus policy objects)
> 
> Paul

Thanks for the corrections.  I didn't realize the SPD and SAD were
accessible via ip.  I never did like setkey much!

When I do ip xfrm policy, after the expected list of policies I see a
long list of src 0.0.0.0 / dst 0.0.0.0 policies:

src 10.x.x.128/26 dst 172.16.0.0/12
        dir fwd priority 2726
        tmpl src 96.y.y.198 dst 208.z.z.1
                proto esp reqid 16389 mode tunnel
src 10.x.x.128/26 dst 172.16.0.0/12
        dir in priority 2726
        tmpl src 96.y.y.198 dst 208.z.z.1
                proto esp reqid 16389 mode tunnel
src ::/0 dst ::/0
        dir 4 priority 0
src ::/0 dst ::/0
        dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0
many, many, more.

What are these? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the Users mailing list