[Openswan Users] {Disarmed} IPSec Tunnel: Pass through connection not working
SaRaVanAn
saravanan.nagarajan87 at gmail.com
Mon Nov 21 13:21:49 EST 2011
Hi Michael,
I want to encrypt all the traffic that is going via my system(Router).
Suppose if a traffic is coming for a destination IP for which there is no
tunnel exists, I need to block it(Plain traffic should not go via my
router). The reason behind adding pass through connection is that , my
system should not block AH/ESP/UDP encapsulated traffic for a destination
irrespective of tunnel configurations.
If i remove drop declaration above, its get loaded. But I cant use iptables
for drop, because iptables rule hit before ipsec processing starts, which
will not fulfill not requirements .Hope you understand my situation.
On Mon, Nov 21, 2011 at 8:17 AM, Michael H. Warfield <mhw at wittsend.com>wrote:
> This sounds like an old problem I patched ages ago. What version of
> Openswan are you running?
>
> On Mon, 2011-11-21 at 20:24 +0530, SaRaVanAn wrote:
> > Hi all,
> > I want to add below three SPD rules.
> >
> > source destination protocol action
> > 1)0.0.0.0/0 172.31.114.239 any ipsec
> > 2)0.0.0.0/0 0.0.0.0/0 ah/esp none
> > 3)0.0.0.0/0 0.0.0.0/0 any
> discard.
>
> Not sure what you're trying to do with those policies but the discard
> one gives me the impression that you're trying to use the policy
> database as if it were a firewall.
>
> > I tried by adding these rules using openswan. Only two rules are getting
> > added in Security policy database, the pass through rule is not
> > added(verified using setkey tool).
> > Please find my ipsec.conf below
> >
> >
> > config setup
> > protostack=netkey
> > nat_traversal=yes
> > virtual_private=
> > oe=off
> > nhelpers=0
> > interfaces=%defaultroute
> >
> > conn west-east
> > left=172.31.114.245
> > right=172.31.114.239
> > leftsubnet=0.0.0.0/0
> > keyexchange=ike
> > auto=add
> > auth=esp
> > authby=secret
> > pfs=no
> > keylife=120m
> > rekey=yes
> > ikelifetime=240m
> > keyingtries=0
> >
> > conn drop
> > left=172.31.114.245
> > right=172.31.114.239
> > leftsubnet=0.0.0.0/0
> > rightsubnet=0.0.0.0/0
> > type=drop
> > authby=never
> > auto=route
> >
> > conn passthrough
> > left=172.31.114.245
> > leftprotoport=ah
> > right=172.31.114.239
> > leftsubnet=0.0.0.0/0
> > rightsubnet=0.0.0.0/0
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Not quite sure what you are trying to do with that subnet declaration
> but it seems like this declaration directly conflicts with the drop
> declaration above. I'm not sure what it's going to do when it gets two
> configuration specifications for basically the same ordered set of
> source and destination address and source and destination subnet but
> something tells me it's not going to do what you expect it to and it my
> not be allowing it.
>
> What happens if you remove the "drop" declaration above and retry it?
> Does the bypass declaration get loaded then? Maybe you should be using
> iptables for that drop above?
>
> > type=passthrough
> > authby=never
> > auto=route
>
> > Please correct me if my configuration is wrong. It would be great, if you
> > help me out on this.
> >
> >
> > Regards,
> > Saravanan N
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of
> all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111121/58ea1d16/attachment.html
More information about the Users
mailing list