[Openswan Users] Magically appearing xfrm rules

Iain Buchanan iainbuc at gmail.com
Sat Jul 19 09:17:19 EDT 2014

They seem to get created when the link goes down for a while - they target particular traffic flows (specifying the port etc.)  When the link comes back up they stick around and cause chaos.  Restarting the ipsec service fixes the problem.

Anyone know why these would get created?


On 18 July 2014 at 08:06:27, Iain Buchanan (iainbuc at gmail.com) wrote:


I'm using Openswan 2.6.37/K3.2.0-65-generic (netkey) and I'm having strange issues where just UDP traffic occasionally stops going through an Openswan IPSEC link.  I've also been having TCP connection drop-outs occurring that I'm starting to suspect are also due to ip xfrm policy rules appearing (yet to catch it in the act though).

If I do "ip xfrm policy" when UDP stops working I can see rules appearing that explicitly drop the UDP traffic between the two hosts.  Removing these rules fixes the issue.

This may not be an Openswan issue at all, but does anyone have any idea why this would occur?  I'm having great difficulty finding any documentation around who changes this table, why and when!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140719/c457265f/attachment.html>

More information about the Users mailing list