[Openswan Users] How is 'ip xfrm policy' generated

Steve MacDougall smacdougall at bluepay.ca
Wed Aug 3 10:59:38 EDT 2016


I recently had an issue with a tunnel that was working fine for months,
then suddenly traffic that should have gone over the tunnel was going to
the gateway instead.

I eventually traced the trouble to two xfrm policies:

One policy had 'action block' for the src, dst, and dport of the traffic I
was sending.

The other policy had 'proto tcp', instead of 'proto esp', for the src and
dst. The correct policies to send the traffic over the tunnel were also
present, but these two policies seemed to take precedence. Once I deleted
them the traffic went over the tunnel.

My question, is where did these policies suddenly come from. There was
nothing in '/etc/ipsec.d/policies/block', and as far as I know, nobody
would have gone in and manually created them.

--

Steve MacDougall

Sr. Systems/Network Administrator

647.258.3704 Direct

289.924.1086 Mobile

smacdougall at bluepay.ca
[image: BluePay, Inc.] <http://www.bluepay.com/>
[image: Twitter] <https://twitter.com/BluePay> [image: Linkedin]
<https://www.linkedin.com/company/bluepay-inc-> [image: Facebook]
<http://www.facebook.com/bluepayprocessing> [image: Google+]
<https://plus.google.com/+bluepay/posts> [image: YouTube]
<https://www.youtube.com/channel/UCIiHef9skKlAQUhejcFtUUg> [image: BluePay
Blog] <http://www.bluepay.com/blog>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160803/b4e0f7eb/attachment.html>


More information about the Users mailing list