[Openswan Users] openswan tunnel and transport conflict?

Julien julien.t43+openswan at gmail.com
Sun Jan 10 14:11:10 EST 2016


Hello,

As a follow up.
When bootstrapping the system, I got the tunnel working fine but it seems
after some time configuration is going messy as a transport entry is added.

Did again yesterday. was working fine but not anymore this morning.

Configuration was unchanged
but ip xfrm policy was

>From (ok)

+ ip xfrm policy
src 10.x.y.0/24 dst 192.168.z.0/24
dir out priority 2344
tmpl src a.b.c.202 dst e.f.g.12
proto esp reqid 16385 mode tunnel
src 192.168.z.0/24 dst 10.x.y.0/24
dir fwd priority 2344
tmpl src e.f.g.12 dst a.b.c.202
proto esp reqid 16385 mode tunnel
src 192.168.z.0/24 dst 10.x.y.0/24
dir in priority 2344
tmpl src e.f.g.12 dst a.b.c.202
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
socket out priority 0

To (nok)

+ ip xfrm policy
src 10.x.y.0/24 dst 192.168.z.0/24
dir out priority 2344
tmpl src a.b.c.202 dst e.f.g.12
proto comp reqid 16386 mode tunnel              <<<
tmpl src 0.0.0.0 dst 0.0.0.0
<<<
proto esp reqid 16385 mode transport           <<<
src 192.168.z.0/24 dst 10.x.y.0/24
dir fwd priority 2344
tmpl src e.f.g.12 dst a.b.c.202
proto esp reqid 16385 mode tunnel
src 192.168.z.0/24 dst 10.x.y.0/24
dir in priority 2344
tmpl src e.f.g.12 dst a.b.c.202
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
socket out priority 0


As a reminder, configuration

config setup
    nat_traversal=yes
    oe=off
    protostack=netkey
    plutoopts="--perpeerlog"
    virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.x.y.0/24,%v4:!192.168.z.0/24

conn cloud-par-tunnel
    authby=secret
    pfs=yes
    auto=add
    keyingtries=3
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    rekey=yes
    ikelifetime=8h
    keylife=1h
    type=tunnel
    left=a.b.c.202
    leftsourceip=10.x.y.1
    leftsubnet=10.x.y.0/24
    right=e.f.g.12
    rightsourceip=192.168.z.1
    rightsubnet=192.168.z.0/24
    compress=yes
    forceencaps=yes


2015-12-29 8:42 GMT-05:00 Julien <julien.t43+openswan at gmail.com>:

> Hello,
>
> I'm trying to setup an ipsec tunnel between a linux and an operator modem.
> Linux is Ubuntu trusty based with openswan. no iptables currently
> Operator box is proprietary, ipsec only (no xl2tpd)
>
> I started doing my setup with the following ansible role
> https://github.com/ahelal/ansible-l2tp_ipsec
> I customized it to operate as tunnel mode without l2tp part.
>
> Tunnel established correctly (got the 'STATE_QUICK_R2: IPsec SA
> established tunnel mode')and sometime, it works/pings fine... but most of
> the time, it seems there is a routing issue
> why?
> because I see packets coming one way with tcpdump but not leaving the
> linux box
>
> also 'ip xfrm policy' returns both tunnel and transport link for one
> src-dst couple...
> + ip xfrm policy
> src 10.x.y.0/24 dst 192.168.z.0/24
>     dir out priority 2344
>     tmpl src a.b.c.202 dst e.f.g.12
>         proto comp reqid 16386 mode tunnel
>     tmpl src 0.0.0.0 dst 0.0.0.0
>         proto esp reqid 16385 mode transport
> src 192.168.z.0/24 dst 10.x.y.0/24
>     dir fwd priority 2344
>     tmpl src e.f.g.12 dst a.b.c.202
>         proto comp reqid 16386 mode tunnel
>         level use
>     tmpl src 0.0.0.0 dst 0.0.0.0
>         proto esp reqid 16385 mode transport
>
> See config and some extra output here
> http://pastebin.com/UkwP9ery
>
> linux also has an openvpn server but it is not supposed to impact ip xfrm
> policy.
> I'm positive that I was using the same config at some moment it was
> working.
> I don't know what else outside of openswan can affect ip xfrm
>
> I also tried to remove manually this policy but don't find the right
> command
> # ip xfrm policy delete tmpl in src 0.0.0.0/0 dst 0.0.0.0/0
> Error: argument "tmpl" is wrong: unknown
> # ip xfrm policy delete dir in src 0.0.0.0/0 dst 0.0.0.0/0
> RTNETLINK answers: No such file or directory
>
> any pointers?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160110/b303138f/attachment.html>


More information about the Users mailing list