[Openswan Users] [off-topic] was Re: [IPsec] IPSec processing in linux kernel acting as a gateway

[Paul Wouters]

On Thu, 17 Nov 2011, Prashant Batra (prbatra) wrote:

> Thanks for directing me. I am not using open-swan, but it's a self-developed IKE deamon, wherein we are using kernel IPSec via NETLINK XFRM interface.

Ok, you might want to look at programs/pluto/kernel_netlink.c (though it is GPL licensed, not BSD)

> How did you create the policies? openswan? ipsec-tools? ip xfrm command?
>
> <Prashant>Using IKE in-house developed IKE deamon.

To see if you mad any mistakes, you could install openswan, configure a "conn" and load
it and/or bring it up and then compare the "ip xfrm state" and "ip xfrm policy" rules
for any mistakes? It would also confirm your system options are not causing problems.

> <Prashant>I could only see the plain packets on the interface receiving the packets from host1, but no encrypted packets going out on other interface towards gw2.
> Even noticed that the packet processed counters for IPSec SA are not getting increased, which means it's not hitting the IPSec layer probably.

Yeah, seems that way. I'd recommend the above test.

Paul