[Openswan Users] openswan tunnel and transport conflict?

Julien julien.t43+openswan at gmail.com
Tue Dec 29 08:42:52 EST 2015


Hello,

I'm trying to setup an ipsec tunnel between a linux and an operator modem.
Linux is Ubuntu trusty based with openswan. no iptables currently
Operator box is proprietary, ipsec only (no xl2tpd)

I started doing my setup with the following ansible role
https://github.com/ahelal/ansible-l2tp_ipsec
I customized it to operate as tunnel mode without l2tp part.

Tunnel established correctly (got the 'STATE_QUICK_R2: IPsec SA established
tunnel mode')and sometime, it works/pings fine... but most of the time, it
seems there is a routing issue
why?
because I see packets coming one way with tcpdump but not leaving the linux
box

also 'ip xfrm policy' returns both tunnel and transport link for one
src-dst couple...
+ ip xfrm policy
src 10.x.y.0/24 dst 192.168.z.0/24
    dir out priority 2344
    tmpl src a.b.c.202 dst e.f.g.12
        proto comp reqid 16386 mode tunnel
    tmpl src 0.0.0.0 dst 0.0.0.0
        proto esp reqid 16385 mode transport
src 192.168.z.0/24 dst 10.x.y.0/24
    dir fwd priority 2344
    tmpl src e.f.g.12 dst a.b.c.202
        proto comp reqid 16386 mode tunnel
        level use
    tmpl src 0.0.0.0 dst 0.0.0.0
        proto esp reqid 16385 mode transport

See config and some extra output here
http://pastebin.com/UkwP9ery

linux also has an openvpn server but it is not supposed to impact ip xfrm
policy.
I'm positive that I was using the same config at some moment it was working.
I don't know what else outside of openswan can affect ip xfrm

I also tried to remove manually this policy but don't find the right command
# ip xfrm policy delete tmpl in src 0.0.0.0/0 dst 0.0.0.0/0
Error: argument "tmpl" is wrong: unknown
# ip xfrm policy delete dir in src 0.0.0.0/0 dst 0.0.0.0/0
RTNETLINK answers: No such file or directory

any pointers?

Thanks

J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20151229/c3dbde0f/attachment.html>


More information about the Users mailing list