[Openswan Users] [off-topic] was Re: [IPsec] IPSec processing in linux kernel acting as a gateway

Prashant Batra (prbatra) prbatra at cisco.com
Thu Nov 17 13:08:01 EST 2011


Looks like openswan doesn't support IKEv2. Then probably have to
configure the gw to use IKEv1.
Thanks Paul, will try that way.

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Thursday, November 17, 2011 11:22 PM
To: Prashant Batra (prbatra)
Cc: users at openswan.org
Subject: RE: [off-topic] was Re: [IPsec] IPSec processing in linux
kernel acting as a gateway

On Thu, 17 Nov 2011, Prashant Batra (prbatra) wrote:

> Thanks for directing me. I am not using open-swan, but it's a
self-developed IKE deamon, wherein we are using kernel IPSec via NETLINK
XFRM interface.

Ok, you might want to look at programs/pluto/kernel_netlink.c (though it
is GPL licensed, not BSD)

> How did you create the policies? openswan? ipsec-tools? ip xfrm
command?
>
> <Prashant>Using IKE in-house developed IKE deamon.

To see if you mad any mistakes, you could install openswan, configure a
"conn" and load
it and/or bring it up and then compare the "ip xfrm state" and "ip xfrm
policy" rules
for any mistakes? It would also confirm your system options are not
causing problems.

> <Prashant>I could only see the plain packets on the interface
receiving the packets from host1, but no encrypted packets going out on
other interface towards gw2.
> Even noticed that the packet processed counters for IPSec SA are not
getting increased, which means it's not hitting the IPSec layer
probably.

Yeah, seems that way. I'd recommend the above test.

Paul


More information about the Users mailing list