[Openswan Users] the packets did not traffic under ESP tunnel on openswan

Ozai ozai.tien at gmail.com
Tue Mar 20 05:45:09 EDT 2012 

Dear Sirs,

I started the openswan and I dumped the SPD as below.
Why the policy rule is the "esp/tunnel/111.243.153.86-111.243.149.34/unique#16385" not "........../require"?How can I change this rule on openswan?

Best Regards,
Ozai

192.168.1.0/24[any] 192.168.2.0/24[any] any
        out ipsec
        esp/tunnel/111.243.153.86-111.243.149.34/unique#16385
        created: Jan  1 05:36:42 1970  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3369 seq=1 pid=31009
        refcnt=1
192.168.2.0/24[any] 192.168.1.0/24[any] any
        fwd ipsec
        esp/tunnel/111.243.149.34-111.243.153.86/unique#16385
        created: Jan  1 05:36:42 1970  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3386 seq=2 pid=31009
        refcnt=1
192.168.2.0/24[any] 192.168.1.0/24[any] any
        in ipsec
        esp/tunnel/111.243.149.34-111.243.153.86/unique#16385
        created: Jan  1 05:36:42 1970  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3376 seq=3 pid=31009
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Jan  1 05:36:40 1970  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3364 seq=4 pid=31009
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Jan  1 05:36:40 1970  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3355 seq=5 pid=31009
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Jan  1 05:36:40 1970  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3348 seq=6 pid=31009
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Jan  1 05:36:40 1970  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3339 seq=7 pid=31009
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Jan  1 05:36:40 1970  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3332 seq=8 pid=31009
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Jan  1 05:36:40 1970  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3323 seq=9 pid=31009
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Jan  1 05:36:40 1970  lastused: Jan  1 05:36:42 1970
        lifetime: 0(s) validtime: 0(s)
        spid=3316 seq=10 pid=31009
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Jan  1 05:36:40 1970  lastused: Jan  1 05:36:42 1970
        lifetime: 0(s) validtime: 0(s)
        spid=3307 seq=0 pid=31009
        refcnt=1
  ----- Original Message ----- 
  From: Panagiotis Tamtamis 
  To: Ozai 
  Cc: Paul Wouters ; users at openswan.org 
  Sent: Monday, March 19, 2012 6:53 PM
  Subject: Re: [Openswan Users] the packets did not traffic under ESP tunnel on openswan


  settings SPD policies either by openswan or ipsec-tools all go to the same direction, to the Linux kernel.
  So if you mess with the policies then you must know how they work.


  openswan sets policies to the kernel.
  if you also set policies or delete policies (with spdflush) then you may have problems.


  2012/3/19 Ozai <ozai.tien at gmail.com>

    Dear Sirs,

    I do not set any policies SPD on openswan.The following setkey rules are just on the ipsec-tool.You mean we do not need to set any policies on openswan,right?How does openswan pass packets through the tunnel?

    Best Regards,
    Ozai
      ----- Original Message ----- 
      From: Panagiotis Tamtamis 
      To: Ozai 
      Cc: Paul Wouters ; users at openswan.org 
      Sent: Monday, March 19, 2012 4:44 PM
      Subject: Re: [Openswan Users] the packets did not traffic under ESP tunnel on openswan


      openswan configures kernel with policies SPD in order to pass packets through the tunnel. 
      with spdflush I guess you delete all these rules.
      openswan at minimum configures 3 SPD policies. in out fwd


      From your rules I miss the fwd rule.


      2012/3/19 Ozai <ozai.tien at gmail.com>

        Dear Paul,

        In ipsec-tool,we use the setkey to manipulate the Security Policy Database(SPD) as  IPSec policy.so kernel can unserstand which packets need to traffic under ESP tunnel,which packets do not need.the following is the setkey configuration.

        Do we have any policy control like ipsec-tool on openswan?

        # cat setkey.conf
        flush;
        spdflush;
        spdadd 192.168.1.254/24 192.168.1.254/24 any -P out none;
        spdadd 192.168.1.254/24 192.168.1.254/24 any -P in none;
        spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/220.229.43.164-111.83.84.59/require;
        spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/111.83.84.59-220.229.43.164/require; 


        Best Regards,
        Ozai
        ----- Original Message ----- From: "Paul Wouters" <paul at nohats.ca>
        To: "Ozai" <ozai.tien at gmail.com>
        Cc: <users at openswan.org>

        Sent: Monday, March 19, 2012 12:52 PM 

        Subject: Re: [Openswan Users] the packets did not traffic under ESP tunnel on openswan



          On Mon, 19 Mar 2012, Ozai wrote:


            It still did not work after adding your suggestions.
            B can ping to A but A can not ping to B even from device itself.
            I captured the packets by wireshark and found the packets from A client always did not traffic under ESP tunnel.Do you have any suggestion for us


          do the clients have the ipsec gateway as default router? If not, they
          might need to get a route for the remote subnet via the ipsec gateway.

          Paul




            A client---------------openswan gateway------------------------------ipsec-tool gateway---------------------B client
            192.168.1.2         192.168.1.1     111.243.152.132 111.243.156.217 192.168.2.254              192.168.2.1

            Best Regards,
            Ozai
            ----- Original Message ----- From: "Paul Wouters" <paul at nohats.ca>
            To: "Ozai" <ozai.tien at gmail.com>
            Cc: <users at openswan.org>
            Sent: Saturday, March 17, 2012 11:01 PM
            Subject: Re: [Openswan Users] the packets did not traffic under ESP tunnel on openswan



              On Thu, 15 Mar 2012, Ozai wrote:


                I merged the openswan(2.6.37) into embedded linux(mips) and tried to make the connection with another ipsec
                system(ipsec-tools).The ESP tunnel can be built successfully.I tried to ping private client from ipsec-tools to
                openswan.It's OK.but from openswan to ipsec-tools,It's failed.I found that from openswan to ipsec-tools,the packets did
                not traffic under ESP tunnel.My settings are as below.Please help me to correct my procedure.thank's.


              Did you test from the device itself? Did you ping -I ?
              Try adding:

               leftsourceip=111.243.152.132
              rightsourceip=111.243.156.217

              Ensure you are not NATing packes for/to the 192.168 ranges.
              Ensure you have forwarding enabled, and rp_filter disabled

              (if your embedded system has perl, try "ipsec verify"

              Paul 


        _______________________________________________
        Users at lists.openswan.org
        https://lists.openswan.org/mailman/listinfo/users
        Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
        Building and Integrating Virtual Private Networks with Openswan:
        http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155






      -- 
      Think simple!






  -- 
  Think simple!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120320/5848f780/attachment-0001.html>

More information about the Users mailing list