[Openswan Users] Incomplete xfrm policy
Giovanni Carbone
G.Carbone at reitek.com
Fri Apr 12 09:46:08 UTC 2013
Hello All!
It can happen that after a rekey I do get an "incomplete" xfrm policy (see below for an example).
I call it "incomplete" because it's missing the the "tmpl [...] proto [...]" part.
Unfortunately I'm unable to replicate this problem at will.
I'm running OpenSWAN 2.6.37 on a CentOS 5.3
# ipsec --version
Linux Openswan U2.6.37/K2.6.18-128.2.1.el5 (netkey)
# [root at saas-vpn1 e1000 ipsec.d]# uname -a
Linux openswan1 2.6.18-128.2.1.el5 #1 SMP Tue Jul 14 06:36:37 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
This is the VPN configuration:
# cat /etc/ipsec.conf
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf
# cat /etc/ipsec.d/remote1.conf
conn REMOTE1
leftsubnets={10.112.8.128/27 10.112.4.0/26}
rightsubnets={192.168.255.0/24}
left=<left-public-ip>
right=<right-public-ip>
auto=add
authby=secret
type=tunnel
ike=3des-sha1-modp1024
ikelifetime=28800s
pfs=yes
aggrmode=no
phase2=esp
phase2alg=aes-sha1-1024,aes128-sha1-1024,aes256-sha1-1024
keyingtries=0
salifetime=1800s
rekey=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart_by_peer
Policies dump
# ip xfrm policy show
[...]
>>>>---Incomplete policy----<<<<
src 10.112.8.129/32 dst 192.168.255.125/32 proto udp
dir out priority 2080
>>>>---Incomplete policy----<<<<
[...]
---Working policies----
src 192.168.255.0/24 dst 10.112.8.128/27
dir in priority 2248
tmpl src <right-remote-ip> dst <left-remote-ip>
proto esp reqid 17565 mode tunnel
src 192.168.255.0/24 dst 10.112.4.0/26
dir in priority 2280
tmpl src <right-remote-ip> dst <left-remote-ip>
proto esp reqid 17569 mode tunnel
src 10.112.8.128/27 dst 192.168.255.0/24
dir out priority 2248
tmpl src <left-remote-ip> dst <right-remote-ip>
proto esp reqid 17565 mode tunnel
src 10.112.4.0/26 dst 192.168.255.0/24
dir out priority 2280
tmpl src <left-remote-ip> dst <right-remote-ip>
proto esp reqid 17569 mode tunnel
src 192.168.255.0/24 dst 10.112.8.128/27
dir fwd priority 2248
tmpl src <right-remote-ip> dst <left-remote-ip>
proto esp reqid 17565 mode tunnel
src 192.168.255.0/24 dst 10.112.4.0/26
dir fwd priority 2280
tmpl src <right-remote-ip> dst <left-remote-ip>
proto esp reqid 17569 mode tunnel
---Working policies----
[...]
Best regards,
Giovanni.
Any use, distribution, copying or disclosure by any other person than the intended recipient of this electronic mail transmission is prohibited as a criminal offence.
Pursuant to Legislative Decree n. 196/2003, you are hereby informed that this message and its attachments contain confidential information intended only for the use of the addressee.
If you receive this transmission in error, please inform the sender immediately and delete the material. Thank You.
The information contained in the e-mail can't be considered authorized by Reitek SpA in front of the addressee or third parties. Reitek SpA has no responsibility in case of dissemination, duplication or damage of this communication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130412/5c3e12a1/attachment-0001.html>
More information about the Users
mailing list