[Openswan Users] the packets did not traffic under ESP tunnel on openswan

Ozai ozai.tien at gmail.com
Mon Mar 19 02:27:53 EDT 2012 

Dear Paul,

In ipsec-tool,we use the setkey to manipulate the Security Policy 
Database(SPD) as  IPSec policy.so kernel can unserstand which packets need 
to traffic under ESP tunnel,which packets do not need.the following is the 
setkey configuration.

Do we have any policy control like ipsec-tool on openswan?

# cat setkey.conf
flush;
spdflush;
spdadd 192.168.1.254/24 192.168.1.254/24 any -P out none;
spdadd 192.168.1.254/24 192.168.1.254/24 any -P in none;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec 
esp/tunnel/220.229.43.164-111.83.84.59/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec 
esp/tunnel/111.83.84.59-220.229.43.164/require;

Best Regards,
Ozai
----- Original Message ----- 
From: "Paul Wouters" <paul at nohats.ca>
To: "Ozai" <ozai.tien at gmail.com>
Cc: <users at openswan.org>
Sent: Monday, March 19, 2012 12:52 PM
Subject: Re: [Openswan Users] the packets did not traffic under ESP tunnel 
on openswan


> On Mon, 19 Mar 2012, Ozai wrote:
>
>> It still did not work after adding your suggestions.
>> B can ping to A but A can not ping to B even from device itself.
>> I captured the packets by wireshark and found the packets from A client 
>> always did not traffic under ESP tunnel.Do you have any suggestion for us
>
> do the clients have the ipsec gateway as default router? If not, they
> might need to get a route for the remote subnet via the ipsec gateway.
>
> Paul
>
>
>>
>> A client---------------openswan 
>> gateway------------------------------ipsec-tool 
>> gateway---------------------B client
>> 192.168.1.2         192.168.1.1     111.243.152.132 111.243.156.217 
>> 192.168.2.254              192.168.2.1
>>
>> Best Regards,
>> Ozai
>> ----- Original Message ----- From: "Paul Wouters" <paul at nohats.ca>
>> To: "Ozai" <ozai.tien at gmail.com>
>> Cc: <users at openswan.org>
>> Sent: Saturday, March 17, 2012 11:01 PM
>> Subject: Re: [Openswan Users] the packets did not traffic under ESP 
>> tunnel on openswan
>>
>>
>>> On Thu, 15 Mar 2012, Ozai wrote:
>>>
>>>> I merged the openswan(2.6.37) into embedded linux(mips) and tried to 
>>>> make the connection with another ipsec
>>>> system(ipsec-tools).The ESP tunnel can be built successfully.I tried to 
>>>> ping private client from ipsec-tools to
>>>> openswan.It's OK.but from openswan to ipsec-tools,It's failed.I found 
>>>> that from openswan to ipsec-tools,the packets did
>>>> not traffic under ESP tunnel.My settings are as below.Please help me to 
>>>> correct my procedure.thank's.
>>>
>>> Did you test from the device itself? Did you ping -I ?
>>> Try adding:
>>>
>>>  leftsourceip=111.243.152.132
>>> rightsourceip=111.243.156.217
>>>
>>> Ensure you are not NATing packes for/to the 192.168 ranges.
>>> Ensure you have forwarding enabled, and rp_filter disabled
>>>
>>> (if your embedded system has perl, try "ipsec verify"
>>>
>>> Paul

More information about the Users mailing list