[Openswan Users] [off-topic] was Re: [IPsec] IPSec processing in linux kernel acting as a gateway

Paul Wouters paul at xelerance.com
Thu Nov 17 15:34:11 EST 2011

On Thu, 17 Nov 2011, Prashant Batra (prbatra) wrote:

> Looks like openswan doesn't support IKEv2. Then probably have to
> configure the gw to use IKEv1.
> Thanks Paul, will try that way.

That is incorrect.  we have an ikev2= option. From the man page:

            IKEv2 (RFC4309) settings to be used. Currently the accepted values
            are permit, (the default) signifying no IKEv2 should be
            transmitted, but will be accepted if the other ends initiates to us
            with IKEv2; never or no signifying no IKEv2 negotiation should be
            transmitted or accepted; propose or yes signifying that we permit
            IKEv2, and also use it as the default to initiate; insist,
            signifying we only accept and receive IKEv2 - IKEv1 negotiations
            will be rejected.

            If the ikev2= setting is set to permit or propose, Openswan will
            try and detect a "bid down" attack from IKEv2 to IKEv1. Since there
            is no standard for transmitting the IKEv2 capability with IKEv1,
            Openswan uses a special Vendor ID "CAN-IKEv2". If a fall back from
            IKEv2 to IKEv1 was detected, and the IKEv1 negotiation contains
            Vendor ID "CAN-IKEv2", Openswan will immediately attempt and IKEv2
            rekey and refuse to use the IKEv1 connection. With an ikev2=
            setting of insist, no IKEv1 negotiation is allowed, and no bid down
            attack is possible.

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, November 17, 2011 11:22 PM
> To: Prashant Batra (prbatra)
> Cc: users at openswan.org
> Subject: RE: [off-topic] was Re: [IPsec] IPSec processing in linux
> kernel acting as a gateway
> On Thu, 17 Nov 2011, Prashant Batra (prbatra) wrote:
>> Thanks for directing me. I am not using open-swan, but it's a
> self-developed IKE deamon, wherein we are using kernel IPSec via NETLINK
> XFRM interface.
> Ok, you might want to look at programs/pluto/kernel_netlink.c (though it
> is GPL licensed, not BSD)
>> How did you create the policies? openswan? ipsec-tools? ip xfrm
> command?
>> <Prashant>Using IKE in-house developed IKE deamon.
> To see if you mad any mistakes, you could install openswan, configure a
> "conn" and load
> it and/or bring it up and then compare the "ip xfrm state" and "ip xfrm
> policy" rules
> for any mistakes? It would also confirm your system options are not
> causing problems.
>> <Prashant>I could only see the plain packets on the interface
> receiving the packets from host1, but no encrypted packets going out on
> other interface towards gw2.
>> Even noticed that the packet processed counters for IPSec SA are not
> getting increased, which means it's not hitting the IPSec layer
> probably.
> Yeah, seems that way. I'd recommend the above test.
> Paul

More information about the Users mailing list