[Openswan Users] Getting a handle on ip xfrm

Whit Blauvelt whit at transpect.com
Wed Mar 10 12:09:54 EST 2010

Okay, I now see that xfrm is used by netkey, and xfrm is totally new to me.
I can see that Openswan sets up the following on my system:

# ip xfrm policy
src zz.zz.zz.192/26 dst 
	dir in priority 2342 
	tmpl src yy.yy.yy.222 dst xx.xx.xx.114
		proto esp reqid 16389 mode tunnel
src dst zz.zz.zz.192/26 
	dir out priority 2342 
	tmpl src xx.xx.xx.114 dst yy.yy.yy.222
		proto esp reqid 16389 mode tunnel
src zz.zz.zz.192/26 dst 
	dir fwd priority 2342 
	tmpl src yy.yy.yy.222 dst xx.xx.xx.114
		proto esp reqid 16389 mode tunnel


xx.xx.xx.114 is left public IP is left subnet
yy.yy.yy.222 is right public IP
zz.zz.zz.192/26 is right subnet

Is this about what I should be seeing, given that I'm trying to find what's
required to get the not-working-yet tunnel going? There are policies here to
tunnel in and out, and a policy to forward in - but not a policy to forward
from the local subnet to the remote one. Should there be one?

What does it need to match up with in terms of routes set by the routing
tables? Anything?

I find some old discussion of xfrm on the list, for instance here:


but it looks like Openswan has evolved since then. At least the policies I
get are more complex statements. That post does usefully suggest that
whatever's not getting set up in my case, probably because I don't use a
default route in the basic way for Openswan to deduce stuff from, can be set
up through a script, if only I can complete my own deduction of what the end
state must be for the tunnel to work.

If this gets solved, I'll write up at least a basic Openswan-on-Ubuntu to
Cisco recipe, because both Ubuntu and Ciscos are pretty damn common, so
solving this would be useful to many. I checked the StrongSwan mailing list
to see how people are doing connecting that to Ciscos, and it doesn't look
good there. Mostly problem reports that get ignored or at best half
answered. Maybe Cisco's IPsec is still so broken that it's not fully
compatible with anything but another Cisco. But I know I should be getting
farther than I am. And even if we're stuck buying a Cisco for our end, it
would be useful to have Openswan as a backup - or else we'll really need a
second Cisco for failover, too. Even a < 100% reliable Openswan backup would
be enough in that department, avoiding a single point of failure there.


More information about the Users mailing list