[Openswan Users] openswan/conntrack issue

Bertrand Jacquin beber at meleeweb.net
Sat Jul 9 08:54:49 EDT 2011


Hi,

After a discussion with bleve or IRC, here is an issue report.

I'm using openswan-2.6.33 to connect to a fortigate.

# ipsec --version
Linux Openswan U2.6.33/K2.6.38-gentoo-r6 (netkey)

3 right networks
are in use, so 3 conn declared as follow :

conn XXX-prod
  left=91.121.26.20
  leftid=XXX
  leftxauthclient=yes
  right=82.112.XXX.XXX
  rightid=XXX
  rightsubnet=82.112.111.200/29
  rightxauthserver=yes
  keyexchange=ike
  ikelifetime=28800s
  keylife=1800s
  pfs=yes
  ike=aes128-md5-modp768
  esp=aes128-md5
  authby=secret
  leftxauthusername=XXX
  compress=yes
  auto=start

conn XXX-preprod
  left=91.121.26.20
  leftid=XXX
  leftxauthclient=yes
  right=82.112.XXX.XXX
  rightid=XXX
  rightsubnet=82.112.111.208/29
  rightxauthserver=yes
  keyexchange=ike
  ikelifetime=28800s
  keylife=1800s
  pfs=yes
  ike=aes128-md5-modp768
  esp=aes128-md5
  authby=secret
  leftxauthusername=XXX
  compress=yes
  auto=start

conn XXX-integration
  left=91.121.26.20
  leftid=XXX
  leftxauthclient=yes
  right=82.112.XXX.XXX
  rightid=XXX
  rightsubnet=82.112.111.216/29
  rightxauthserver=yes
  keyexchange=ike
  ikelifetime=28800s
  keylife=1800s
  pfs=yes
  ike=aes128-md5-modp768
  esp=aes128-md5
  authby=secret
  leftxauthusername=XXX
  compress=yes
  auto=start

First thing, If I want to simplify the configuration with the following
:
  rightsubnets={ 82.112.111.200/29 82.112.111.208/29 82.112.111.216/29 }

I'm getting the following error :

  address family inconsistency in this/that connection

Now, the main issue. When I send packets to XXX-prod, all is fine, but
if I send packets to XXX-preprod, trafic is correctly emited and resturn
back, but it's now handle correctly by conntrack so trafic seems to be
dropped, and I get only one entry in /proc/1/net/nf_conntrack :

ipv4     2 unknown  50 598 src=91.121.26.20 dst=82.112.XXX.XXX src=82.112.111.193 dst=91.121.26.20 mark=0 use=2

I don't think this is a normal and may be a conntrack issue. Can someone
confirm ?

Thanks

-- 
Beber
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20110709/d89d9239/attachment.bin 


More information about the Users mailing list