[Openswan Users] openswan tunnel and transport conflict?
Julien
julien.t43+openswan at gmail.com
Sun Jan 10 14:11:10 EST 2016
Hello,
As a follow up.
When bootstrapping the system, I got the tunnel working fine but it seems
after some time configuration is going messy as a transport entry is added.
Did again yesterday. was working fine but not anymore this morning.
Configuration was unchanged
but ip xfrm policy was
>From (ok)
+ ip xfrm policy
src 10.x.y.0/24 dst 192.168.z.0/24
dir out priority 2344
tmpl src a.b.c.202 dst e.f.g.12
proto esp reqid 16385 mode tunnel
src 192.168.z.0/24 dst 10.x.y.0/24
dir fwd priority 2344
tmpl src e.f.g.12 dst a.b.c.202
proto esp reqid 16385 mode tunnel
src 192.168.z.0/24 dst 10.x.y.0/24
dir in priority 2344
tmpl src e.f.g.12 dst a.b.c.202
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
socket out priority 0
To (nok)
+ ip xfrm policy
src 10.x.y.0/24 dst 192.168.z.0/24
dir out priority 2344
tmpl src a.b.c.202 dst e.f.g.12
proto comp reqid 16386 mode tunnel <<<
tmpl src 0.0.0.0 dst 0.0.0.0
<<<
proto esp reqid 16385 mode transport <<<
src 192.168.z.0/24 dst 10.x.y.0/24
dir fwd priority 2344
tmpl src e.f.g.12 dst a.b.c.202
proto esp reqid 16385 mode tunnel
src 192.168.z.0/24 dst 10.x.y.0/24
dir in priority 2344
tmpl src e.f.g.12 dst a.b.c.202
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
socket out priority 0
As a reminder, configuration
config setup
nat_traversal=yes
oe=off
protostack=netkey
plutoopts="--perpeerlog"
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.x.y.0/24,%v4:!192.168.z.0/24
conn cloud-par-tunnel
authby=secret
pfs=yes
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=tunnel
left=a.b.c.202
leftsourceip=10.x.y.1
leftsubnet=10.x.y.0/24
right=e.f.g.12
rightsourceip=192.168.z.1
rightsubnet=192.168.z.0/24
compress=yes
forceencaps=yes
2015-12-29 8:42 GMT-05:00 Julien <julien.t43+openswan at gmail.com>:
> Hello,
>
> I'm trying to setup an ipsec tunnel between a linux and an operator modem.
> Linux is Ubuntu trusty based with openswan. no iptables currently
> Operator box is proprietary, ipsec only (no xl2tpd)
>
> I started doing my setup with the following ansible role
> https://github.com/ahelal/ansible-l2tp_ipsec
> I customized it to operate as tunnel mode without l2tp part.
>
> Tunnel established correctly (got the 'STATE_QUICK_R2: IPsec SA
> established tunnel mode')and sometime, it works/pings fine... but most of
> the time, it seems there is a routing issue
> why?
> because I see packets coming one way with tcpdump but not leaving the
> linux box
>
> also 'ip xfrm policy' returns both tunnel and transport link for one
> src-dst couple...
> + ip xfrm policy
> src 10.x.y.0/24 dst 192.168.z.0/24
> dir out priority 2344
> tmpl src a.b.c.202 dst e.f.g.12
> proto comp reqid 16386 mode tunnel
> tmpl src 0.0.0.0 dst 0.0.0.0
> proto esp reqid 16385 mode transport
> src 192.168.z.0/24 dst 10.x.y.0/24
> dir fwd priority 2344
> tmpl src e.f.g.12 dst a.b.c.202
> proto comp reqid 16386 mode tunnel
> level use
> tmpl src 0.0.0.0 dst 0.0.0.0
> proto esp reqid 16385 mode transport
>
> See config and some extra output here
> http://pastebin.com/UkwP9ery
>
> linux also has an openvpn server but it is not supposed to impact ip xfrm
> policy.
> I'm positive that I was using the same config at some moment it was
> working.
> I don't know what else outside of openswan can affect ip xfrm
>
> I also tried to remove manually this policy but don't find the right
> command
> # ip xfrm policy delete tmpl in src 0.0.0.0/0 dst 0.0.0.0/0
> Error: argument "tmpl" is wrong: unknown
> # ip xfrm policy delete dir in src 0.0.0.0/0 dst 0.0.0.0/0
> RTNETLINK answers: No such file or directory
>
> any pointers?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160110/b303138f/attachment.html>
More information about the Users
mailing list