settings SPD policies either by openswan or ipsec-tools all go to the same direction, to the Linux kernel.<div>So if you mess with the policies then you must know how they work.</div><div><br></div><div>openswan sets policies to the kernel.</div>
<div>if you also set policies or delete policies (with spdflush) then you may have problems.<br><br><div class="gmail_quote">2012/3/19 Ozai <span dir="ltr"><<a href="mailto:ozai.tien@gmail.com">ozai.tien@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div bgcolor="#ffffff">
<div><font color="#0000ff" face="Verdana">Dear Sirs,</font></div>
<div><font color="#0000ff" face="Verdana"></font> </div>
<div><font color="#0000ff" face="Verdana">I do not set any
policies SPD on openswan.The following setkey rules are just on the
ipsec-tool.You mean we do not need to set any policies on openswan,right?How
does openswan pass packets through the tunnel?</font></div>
<div><font color="#0000ff" face="Verdana"></font> </div>
<div><font color="#0000ff" face="Verdana">Best Regards,</font></div>
<div><font color="#0000ff" face="Verdana">Ozai</font></div><div><div class="h5">
<blockquote style="BORDER-LEFT:#0000ff 2px solid;PADDING-LEFT:5px;PADDING-RIGHT:0px;MARGIN-LEFT:5px;MARGIN-RIGHT:0px" dir="ltr">
<div>----- Original Message ----- </div>
<div><b>From:</b>
<a title="tamtamis@gmail.com" href="mailto:tamtamis@gmail.com" target="_blank">Panagiotis
Tamtamis</a> </div>
<div><b>To:</b> <a title="ozai.tien@gmail.com" href="mailto:ozai.tien@gmail.com" target="_blank">Ozai</a> </div>
<div><b>Cc:</b> <a title="paul@nohats.ca" href="mailto:paul@nohats.ca" target="_blank">Paul Wouters</a> ; <a title="users@openswan.org" href="mailto:users@openswan.org" target="_blank">users@openswan.org</a> </div>
<div><b>Sent:</b> Monday, March 19, 2012 4:44 PM</div>
<div><b>Subject:</b> Re: [Openswan Users] the packets
did not traffic under ESP tunnel on openswan</div>
<div><br></div>openswan configures kernel with policies SPD in order to pass
packets through the tunnel.
<div>with spdflush I guess you delete all these rules.</div>
<div>openswan at minimum configures 3 SPD policies. in out fwd</div>
<div><br></div>
<div>From your rules I miss the fwd rule.<br><br>
<div class="gmail_quote">2012/3/19 Ozai <span dir="ltr"><<a href="mailto:ozai.tien@gmail.com" target="_blank">ozai.tien@gmail.com</a>></span><br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">Dear Paul,<br><br>In ipsec-tool,we use the setkey to
manipulate the Security Policy Database(SPD) as IPSec policy.so kernel
can unserstand which packets need to traffic under ESP tunnel,which packets
do not need.the following is the setkey configuration.<br><br>Do we have any
policy control like ipsec-tool on openswan?<br><br># cat
setkey.conf<br>flush;<br>spdflush;<br>spdadd <a href="http://192.168.1.254/24" target="_blank">192.168.1.254/24</a> <a href="http://192.168.1.254/24" target="_blank">192.168.1.254/24</a> any -P out
none;<br>spdadd <a href="http://192.168.1.254/24" target="_blank">192.168.1.254/24</a> <a href="http://192.168.1.254/24" target="_blank">192.168.1.254/24</a> any -P in none;<br>spdadd <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> any -P out
ipsec esp/tunnel/220.229.43.164-111.<u></u>83.84.59/require;<br>spdadd <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> any -P in
ipsec esp/tunnel/111.83.84.59-220.<u></u>229.43.164/require;
<div><br><br>Best Regards,<br>Ozai<br>----- Original Message -----
From: "Paul Wouters" <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>><br>To: "Ozai" <<a href="mailto:ozai.tien@gmail.com" target="_blank">ozai.tien@gmail.com</a>><br>
Cc: <<a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a>><br></div>Sent: Monday, March 19,
2012 12:52 PM
<div>
<div><br>Subject: Re: [Openswan Users] the packets did not traffic
under ESP tunnel on openswan<br><br><br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">On Mon, 19 Mar 2012, Ozai wrote:<br><br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">It still did not work after adding your
suggestions.<br>B can ping to A but A can not ping to B even from device
itself.<br>I captured the packets by wireshark and found the packets
from A client always did not traffic under ESP tunnel.Do you have any
suggestion for us<br></blockquote><br>do the clients have the ipsec
gateway as default router? If not, they<br>might need to get a route for
the remote subnet via the ipsec gateway.<br><br>Paul<br><br><br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><br>A client---------------openswan
gateway-----------------------<u></u>-------ipsec-tool
gateway---------------------B client<br>192.168.1.2
192.168.1.1 111.243.152.132 111.243.156.217
192.168.2.254
192.168.2.1<br><br>Best Regards,<br>Ozai<br>----- Original Message
----- From: "Paul Wouters" <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>><br>To: "Ozai" <<a href="mailto:ozai.tien@gmail.com" target="_blank">ozai.tien@gmail.com</a>><br>
Cc: <<a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a>><br>Sent: Saturday, March 17,
2012 11:01 PM<br>Subject: Re: [Openswan Users] the packets did not
traffic under ESP tunnel on openswan<br><br><br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">On Thu, 15 Mar 2012, Ozai wrote:<br><br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">I merged the openswan(2.6.37) into embedded
linux(mips) and tried to make the connection with another
ipsec<br>system(ipsec-tools).The ESP tunnel can be built
successfully.I tried to ping private client from ipsec-tools
to<br>openswan.It's OK.but from openswan to ipsec-tools,It's
failed.I found that from openswan to ipsec-tools,the packets
did<br>not traffic under ESP tunnel.My settings are as below.Please
help me to correct my procedure.thank's.<br></blockquote><br>Did you
test from the device itself? Did you ping -I ?<br>Try
adding:<br><br> leftsourceip=111.243.152.132<br>rightsourceip=111.243.156.217<br><br>Ensure
you are not NATing packes for/to the 192.168 ranges.<br>Ensure you
have forwarding enabled, and rp_filter disabled<br><br>(if your
embedded system has perl, try "ipsec verify"<br><br>Paul
<br></blockquote></blockquote></blockquote><br>______________________________<u></u>_________________<br><a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/<u></u>mailman/listinfo/users</a><br>
Micropayments:
<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/<u></u>38387/IPsec-for-Linux-made-<u></u>easy</a><br>Building
and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/<u></u>product/1904811256/104-<u></u>3099591-2946327?n=283155</a><br>
</div></div></blockquote></div><br><br clear="all">
<div><br></div>-- <br>Think simple!<br></div></blockquote></div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Think simple!<br>
</div>