No subject


Sun Mar 18 23:15:50 EDT 2012


2012/3/19 Ozai <ozai.tien at gmail.com>

> Dear Paul,
>
> In ipsec-tool,we use the setkey to manipulate the Security Policy
> Database(SPD) as  IPSec policy.so kernel can unserstand which packets need
> to traffic under ESP tunnel,which packets do not need.the following is the
> setkey configuration.
>
> Do we have any policy control like ipsec-tool on openswan?
>
> # cat setkey.conf
> flush;
> spdflush;
> spdadd 192.168.1.254/24 192.168.1.254/24 any -P out none;
> spdadd 192.168.1.254/24 192.168.1.254/24 any -P in none;
> spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
> esp/tunnel/220.229.43.164-111.**83.84.59/require;
> spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
> esp/tunnel/111.83.84.59-220.**229.43.164/require;
>
>
> Best Regards,
> Ozai
> ----- Original Message ----- From: "Paul Wouters" <paul at nohats.ca>
> To: "Ozai" <ozai.tien at gmail.com>
> Cc: <users at openswan.org>
> Sent: Monday, March 19, 2012 12:52 PM
>
> Subject: Re: [Openswan Users] the packets did not traffic under ESP tunnel
> on openswan
>
>
>  On Mon, 19 Mar 2012, Ozai wrote:
>>
>>  It still did not work after adding your suggestions.
>>> B can ping to A but A can not ping to B even from device itself.
>>> I captured the packets by wireshark and found the packets from A client
>>> always did not traffic under ESP tunnel.Do you have any suggestion for us
>>>
>>
>> do the clients have the ipsec gateway as default router? If not, they
>> might need to get a route for the remote subnet via the ipsec gateway.
>>
>> Paul
>>
>>
>>
>>> A client---------------openswan gateway-----------------------**-------ipsec-tool
>>> gateway---------------------B client
>>> 192.168.1.2         192.168.1.1     111.243.152.132 111.243.156.217
>>> 192.168.2.254              192.168.2.1
>>>
>>> Best Regards,
>>> Ozai
>>> ----- Original Message ----- From: "Paul Wouters" <paul at nohats.ca>
>>> To: "Ozai" <ozai.tien at gmail.com>
>>> Cc: <users at openswan.org>
>>> Sent: Saturday, March 17, 2012 11:01 PM
>>> Subject: Re: [Openswan Users] the packets did not traffic under ESP
>>> tunnel on openswan
>>>
>>>
>>>  On Thu, 15 Mar 2012, Ozai wrote:
>>>>
>>>>  I merged the openswan(2.6.37) into embedded linux(mips) and tried to
>>>>> make the connection with another ipsec
>>>>> system(ipsec-tools).The ESP tunnel can be built successfully.I tried
>>>>> to ping private client from ipsec-tools to
>>>>> openswan.It's OK.but from openswan to ipsec-tools,It's failed.I found
>>>>> that from openswan to ipsec-tools,the packets did
>>>>> not traffic under ESP tunnel.My settings are as below.Please help me
>>>>> to correct my procedure.thank's.
>>>>>
>>>>
>>>> Did you test from the device itself? Did you ping -I ?
>>>> Try adding:
>>>>
>>>>  leftsourceip=111.243.152.132
>>>> rightsourceip=111.243.156.217
>>>>
>>>> Ensure you are not NATing packes for/to the 192.168 ranges.
>>>> Ensure you have forwarding enabled, and rp_filter disabled
>>>>
>>>> (if your embedded system has perl, try "ipsec verify"
>>>>
>>>> Paul
>>>>
>>>
> ______________________________**_________________
> Users at lists.openswan.org
> https://lists.openswan.org/**mailman/listinfo/users<https://lists.openswan.org/mailman/listinfo/users>
> Micropayments: https://flattr.com/thing/**38387/IPsec-for-Linux-made-**
> easy <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/**product/1904811256/104-**
> 3099591-2946327?n=283155<http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>



-- 
Think simple!

--047d7b33d9485ae70c04bb949159
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

openswan configures kernel with policies SPD in order to pass packets throu=
gh the tunnel.<div>with spdflush I guess you delete all these rules.</div><=
div>openswan at minimum configures 3 SPD policies. in out fwd</div><div>
<br></div><div>From your rules I miss the fwd rule.<br><br><div class=3D"gm=
ail_quote">2012/3/19 Ozai <span dir=3D"ltr">&lt;<a href=3D"mailto:ozai.tien=
@gmail.com">ozai.tien at gmail.com</a>&gt;</span><br><blockquote class=3D"gmai=
l_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left=
:1ex">
Dear Paul,<br>
<br>
In ipsec-tool,we use the setkey to manipulate the Security Policy Database(=
SPD) as =A0IPSec policy.so kernel can unserstand which packets need to traf=
fic under ESP tunnel,which packets do not need.the following is the setkey =
configuration.<br>

<br>
Do we have any policy control like ipsec-tool on openswan?<br>
<br>
# cat setkey.conf<br>
flush;<br>
spdflush;<br>
spdadd <a href=3D"http://192.168.1.254/24" target=3D"_blank">192.168.1.254/=
24</a> <a href=3D"http://192.168.1.254/24" target=3D"_blank">192.168.1.254/=
24</a> any -P out none;<br>
spdadd <a href=3D"http://192.168.1.254/24" target=3D"_blank">192.168.1.254/=
24</a> <a href=3D"http://192.168.1.254/24" target=3D"_blank">192.168.1.254/=
24</a> any -P in none;<br>
spdadd <a href=3D"http://192.168.1.0/24" target=3D"_blank">192.168.1.0/24</=
a> <a href=3D"http://192.168.2.0/24" target=3D"_blank">192.168.2.0/24</a> a=
ny -P out ipsec esp/tunnel/220.229.43.164-111.<u></u>83.84.59/require;<br>
spdadd <a href=3D"http://192.168.2.0/24" target=3D"_blank">192.168.2.0/24</=
a> <a href=3D"http://192.168.1.0/24" target=3D"_blank">192.168.1.0/24</a> a=
ny -P in ipsec esp/tunnel/111.83.84.59-220.<u></u>229.43.164/require;<div c=
lass=3D"im">
<br>
<br>
Best Regards,<br>
Ozai<br>
----- Original Message ----- From: &quot;Paul Wouters&quot; &lt;<a href=3D"=
mailto:paul at nohats.ca" target=3D"_blank">paul at nohats.ca</a>&gt;<br>
To: &quot;Ozai&quot; &lt;<a href=3D"mailto:ozai.tien at gmail.com" target=3D"_=
blank">ozai.tien at gmail.com</a>&gt;<br>
Cc: &lt;<a href=3D"mailto:users at openswan.org" target=3D"_blank">users at opens=
wan.org</a>&gt;<br></div>
Sent: Monday, March 19, 2012 12:52 PM<div class=3D"HOEnZb"><div class=3D"h5=
"><br>
Subject: Re: [Openswan Users] the packets did not traffic under ESP tunnel =
on openswan<br>
<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
On Mon, 19 Mar 2012, Ozai wrote:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
It still did not work after adding your suggestions.<br>
B can ping to A but A can not ping to B even from device itself.<br>
I captured the packets by wireshark and found the packets from A client alw=
ays did not traffic under ESP tunnel.Do you have any suggestion for us<br>
</blockquote>
<br>
do the clients have the ipsec gateway as default router? If not, they<br>
might need to get a route for the remote subnet via the ipsec gateway.<br>
<br>
Paul<br>
<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
<br>
A client---------------openswan gateway-----------------------<u></u>------=
-ipsec-tool gateway---------------------B client<br>
192.168.1.2 =A0 =A0 =A0 =A0 192.168.1.1 =A0 =A0 111.243.152.132 111.243.156=
.217 192.168.2.254 =A0 =A0 =A0 =A0 =A0 =A0 =A0192.168.2.1<br>
<br>
Best Regards,<br>
Ozai<br>
----- Original Message ----- From: &quot;Paul Wouters&quot; &lt;<a href=3D"=
mailto:paul at nohats.ca" target=3D"_blank">paul at nohats.ca</a>&gt;<br>
To: &quot;Ozai&quot; &lt;<a href=3D"mailto:ozai.tien at gmail.com" target=3D"_=
blank">ozai.tien at gmail.com</a>&gt;<br>
Cc: &lt;<a href=3D"mailto:users at openswan.org" target=3D"_blank">users at opens=
wan.org</a>&gt;<br>
Sent: Saturday, March 17, 2012 11:01 PM<br>
Subject: Re: [Openswan Users] the packets did not traffic under ESP tunnel =
on openswan<br>
<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
On Thu, 15 Mar 2012, Ozai wrote:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
I merged the openswan(2.6.37) into embedded linux(mips) and tried to make t=
he connection with another ipsec<br>
system(ipsec-tools).The ESP tunnel can be built successfully.I tried to pin=
g private client from ipsec-tools to<br>
openswan.It&#39;s OK.but from openswan to ipsec-tools,It&#39;s failed.I fou=
nd that from openswan to ipsec-tools,the packets did<br>
not traffic under ESP tunnel.My settings are as below.Please help me to cor=
rect my procedure.thank&#39;s.<br>
</blockquote>
<br>
Did you test from the device itself? Did you ping -I ?<br>
Try adding:<br>
<br>
=A0leftsourceip=3D111.243.152.132<br>
rightsourceip=3D111.243.156.217<br>
<br>
Ensure you are not NATing packes for/to the 192.168 ranges.<br>
Ensure you have forwarding enabled, and rp_filter disabled<br>
<br>
(if your embedded system has perl, try &quot;ipsec verify&quot;<br>
<br>
Paul <br>
</blockquote></blockquote></blockquote>
<br>
______________________________<u></u>_________________<br>
<a href=3D"mailto:Users at lists.openswan.org" target=3D"_blank">Users at lists.o=
penswan.org</a><br>
<a href=3D"https://lists.openswan.org/mailman/listinfo/users" target=3D"_bl=
ank">https://lists.openswan.org/<u></u>mailman/listinfo/users</a><br>
Micropayments: <a href=3D"https://flattr.com/thing/38387/IPsec-for-Linux-ma=
de-easy" target=3D"_blank">https://flattr.com/thing/<u></u>38387/IPsec-for-=
Linux-made-<u></u>easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href=3D"http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?=
n=3D283155" target=3D"_blank">http://www.amazon.com/gp/<u></u>product/19048=
11256/104-<u></u>3099591-2946327?n=3D283155</a><br>
</div></div></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>=
Think simple!<br>
</div>

--047d7b33d9485ae70c04bb949159--


More information about the Users mailing list