[Openswan Users] {Disarmed} IPSec Tunnel: Pass through connection not working

Michael H. Warfield mhw at WittsEnd.com
Mon Nov 21 11:17:08 EST 2011

This sounds like an old problem I patched ages ago.  What version of
Openswan are you running?

On Mon, 2011-11-21 at 20:24 +0530, SaRaVanAn wrote: 
> Hi all,
>    I  want to add below three SPD rules.
> source          destination               protocol        action
> 1)            any            ipsec
> 2)                     ah/esp         none
> 3)                      any               discard.

Not sure what you're trying to do with those policies but the discard
one gives me the impression that you're trying to use the policy
database as if it were a firewall.

> I tried by adding these rules using openswan.  Only two rules are getting
> added in Security policy database, the pass through rule is not
> added(verified using setkey tool).
> Please find my ipsec.conf below
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=
>         oe=off
>         nhelpers=0
>         interfaces=%defaultroute
> conn west-east
>     left=
>     right=
>     leftsubnet=
>     keyexchange=ike
>     auto=add
>     auth=esp
>     authby=secret
>     pfs=no
>     keylife=120m
>     rekey=yes
>     ikelifetime=240m
>     keyingtries=0
> conn drop
>         left=
>         right=
>         leftsubnet=
>         rightsubnet=
>         type=drop
>         authby=never
>         auto=route
> conn passthrough
>         left=
>         leftprotoport=ah
>         right=
>         leftsubnet=
>         rightsubnet=
Not quite sure what you are trying to do with that subnet declaration
but it seems like this declaration directly conflicts with the drop
declaration above.  I'm not sure what it's going to do when it gets two
configuration specifications for basically the same ordered set of
source and destination address and source and destination subnet but
something tells me it's not going to do what you expect it to and it my
not be allowing it.

What happens if you remove the "drop" declaration above and retry it?
Does the bypass declaration get loaded then?  Maybe you should be using
iptables for that drop above?

> type=passthrough
>         authby=never
>         auto=route

> Please correct me if my configuration is wrong. It would be great, if you
> help me out on this.
> Regards,
> Saravanan N
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20111121/1e539765/attachment.bin 

More information about the Users mailing list