[Openswan Users] openswan tunnel and transport conflict?

Patrick Naubert patrickn at xelerance.com
Wed Jan 6 12:27:12 EST 2016

Rescued from the spam bucket.  Please remember to subscribe to the mailing list before posting to it.
Sorry for the delay, I was on vacation.

From: Julien T <julien.t43 at gmail.com>
Subject: openswan tunnel and transport conflict?
Date: December 28, 2015 at 10:20:08 PM EST
To: users at lists.openswan.org


I'm trying to setup an ipsec tunnel between a linux and an operator modem.
Linux is Ubuntu trusty based with openswan. no iptables currently
Operator box is proprietary, ipsec only (no xl2tpd)

I started doing my setup with the following ansible role
https://github.com/ahelal/ansible-l2tp_ipsec <https://github.com/ahelal/ansible-l2tp_ipsec>
I customized it to operate as tunnel mode without l2tp part.

Tunnel established correctly (got the 'STATE_QUICK_R2: IPsec SA established tunnel mode')and sometime, it works/pings fine... but most of the time, it seems there is a routing issue
because I see packets coming one way with tcpdump but not leaving the linux box

also 'ip xfrm policy' returns both tunnel and transport link for one src-dst couple...
+ ip xfrm policy
src 10.x.y.0/24 dst 192.168.z.0/24
    dir out priority 2344
    tmpl src a.b.c.202 dst e.f.g.12
        proto comp reqid 16386 mode tunnel
    tmpl src dst
        proto esp reqid 16385 mode transport
src 192.168.z.0/24 dst 10.x.y.0/24
    dir fwd priority 2344
    tmpl src e.f.g.12 dst a.b.c.202
        proto comp reqid 16386 mode tunnel
        level use
    tmpl src dst
        proto esp reqid 16385 mode transport

See config and some extra output here
http://pastebin.com/UkwP9ery <http://pastebin.com/UkwP9ery>

linux also has an openvpn server but it is not supposed to impact ip xfrm policy.
I'm positive that I was using the same config at some moment it was working.
I don't know what else outside of openswan can affect ip xfrm

I also tried to remove manually this policy but don't find the right command
# ip xfrm policy delete tmpl in src <> dst <>
Error: argument "tmpl" is wrong: unknown
# ip xfrm policy delete dir in src <> dst <>
RTNETLINK answers: No such file or directory

any pointers?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160106/f8b1bce5/attachment.html>

More information about the Users mailing list