<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19190">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#0000ff size=2 face=Verdana>Dear Sirs,</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>I do not set any
policies SPD on openswan.The following setkey rules are just on the
ipsec-tool.You mean we do not need to set any policies on openswan,right?How
does openswan pass packets through the tunnel?</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Best Regards,</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Ozai</FONT></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #0000ff 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV style="FONT: 10pt 新細明體">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt 新細明體; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=tamtamis@gmail.com href="mailto:tamtamis@gmail.com">Panagiotis
Tamtamis</A> </DIV>
<DIV style="FONT: 10pt 新細明體"><B>To:</B> <A title=ozai.tien@gmail.com
href="mailto:ozai.tien@gmail.com">Ozai</A> </DIV>
<DIV style="FONT: 10pt 新細明體"><B>Cc:</B> <A title=paul@nohats.ca
href="mailto:paul@nohats.ca">Paul Wouters</A> ; <A title=users@openswan.org
href="mailto:users@openswan.org">users@openswan.org</A> </DIV>
<DIV style="FONT: 10pt 新細明體"><B>Sent:</B> Monday, March 19, 2012 4:44 PM</DIV>
<DIV style="FONT: 10pt 新細明體"><B>Subject:</B> Re: [Openswan Users] the packets
did not traffic under ESP tunnel on openswan</DIV>
<DIV><BR></DIV>openswan configures kernel with policies SPD in order to pass
packets through the tunnel.
<DIV>with spdflush I guess you delete all these rules.</DIV>
<DIV>openswan at minimum configures 3 SPD policies. in out fwd</DIV>
<DIV><BR></DIV>
<DIV>From your rules I miss the fwd rule.<BR><BR>
<DIV class=gmail_quote>2012/3/19 Ozai <SPAN dir=ltr><<A
href="mailto:ozai.tien@gmail.com">ozai.tien@gmail.com</A>></SPAN><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>Dear Paul,<BR><BR>In ipsec-tool,we use the setkey to
manipulate the Security Policy Database(SPD) as IPSec policy.so kernel
can unserstand which packets need to traffic under ESP tunnel,which packets
do not need.the following is the setkey configuration.<BR><BR>Do we have any
policy control like ipsec-tool on openswan?<BR><BR># cat
setkey.conf<BR>flush;<BR>spdflush;<BR>spdadd <A
href="http://192.168.1.254/24" target=_blank>192.168.1.254/24</A> <A
href="http://192.168.1.254/24" target=_blank>192.168.1.254/24</A> any -P out
none;<BR>spdadd <A href="http://192.168.1.254/24"
target=_blank>192.168.1.254/24</A> <A href="http://192.168.1.254/24"
target=_blank>192.168.1.254/24</A> any -P in none;<BR>spdadd <A
href="http://192.168.1.0/24" target=_blank>192.168.1.0/24</A> <A
href="http://192.168.2.0/24" target=_blank>192.168.2.0/24</A> any -P out
ipsec esp/tunnel/220.229.43.164-111.<U></U>83.84.59/require;<BR>spdadd <A
href="http://192.168.2.0/24" target=_blank>192.168.2.0/24</A> <A
href="http://192.168.1.0/24" target=_blank>192.168.1.0/24</A> any -P in
ipsec esp/tunnel/111.83.84.59-220.<U></U>229.43.164/require;
<DIV class=im><BR><BR>Best Regards,<BR>Ozai<BR>----- Original Message -----
From: "Paul Wouters" <<A href="mailto:paul@nohats.ca"
target=_blank>paul@nohats.ca</A>><BR>To: "Ozai" <<A
href="mailto:ozai.tien@gmail.com"
target=_blank>ozai.tien@gmail.com</A>><BR>Cc: <<A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A>><BR></DIV>Sent: Monday, March 19,
2012 12:52 PM
<DIV class=HOEnZb>
<DIV class=h5><BR>Subject: Re: [Openswan Users] the packets did not traffic
under ESP tunnel on openswan<BR><BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>On Mon, 19 Mar 2012, Ozai wrote:<BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>It still did not work after adding your
suggestions.<BR>B can ping to A but A can not ping to B even from device
itself.<BR>I captured the packets by wireshark and found the packets
from A client always did not traffic under ESP tunnel.Do you have any
suggestion for us<BR></BLOCKQUOTE><BR>do the clients have the ipsec
gateway as default router? If not, they<BR>might need to get a route for
the remote subnet via the ipsec gateway.<BR><BR>Paul<BR><BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote><BR>A client---------------openswan
gateway-----------------------<U></U>-------ipsec-tool
gateway---------------------B client<BR>192.168.1.2
192.168.1.1 111.243.152.132 111.243.156.217
192.168.2.254
192.168.2.1<BR><BR>Best Regards,<BR>Ozai<BR>----- Original Message
----- From: "Paul Wouters" <<A href="mailto:paul@nohats.ca"
target=_blank>paul@nohats.ca</A>><BR>To: "Ozai" <<A
href="mailto:ozai.tien@gmail.com"
target=_blank>ozai.tien@gmail.com</A>><BR>Cc: <<A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A>><BR>Sent: Saturday, March 17,
2012 11:01 PM<BR>Subject: Re: [Openswan Users] the packets did not
traffic under ESP tunnel on openswan<BR><BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>On Thu, 15 Mar 2012, Ozai wrote:<BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>I merged the openswan(2.6.37) into embedded
linux(mips) and tried to make the connection with another
ipsec<BR>system(ipsec-tools).The ESP tunnel can be built
successfully.I tried to ping private client from ipsec-tools
to<BR>openswan.It's OK.but from openswan to ipsec-tools,It's
failed.I found that from openswan to ipsec-tools,the packets
did<BR>not traffic under ESP tunnel.My settings are as below.Please
help me to correct my procedure.thank's.<BR></BLOCKQUOTE><BR>Did you
test from the device itself? Did you ping -I ?<BR>Try
adding:<BR><BR> leftsourceip=111.243.152.132<BR>rightsourceip=111.243.156.217<BR><BR>Ensure
you are not NATing packes for/to the 192.168 ranges.<BR>Ensure you
have forwarding enabled, and rp_filter disabled<BR><BR>(if your
embedded system has perl, try "ipsec verify"<BR><BR>Paul
<BR></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE><BR>______________________________<U></U>_________________<BR><A
href="mailto:Users@lists.openswan.org"
target=_blank>Users@lists.openswan.org</A><BR><A
href="https://lists.openswan.org/mailman/listinfo/users"
target=_blank>https://lists.openswan.org/<U></U>mailman/listinfo/users</A><BR>Micropayments:
<A href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
target=_blank>https://flattr.com/thing/<U></U>38387/IPsec-for-Linux-made-<U></U>easy</A><BR>Building
and Integrating Virtual Private Networks with Openswan:<BR><A
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
target=_blank>http://www.amazon.com/gp/<U></U>product/1904811256/104-<U></U>3099591-2946327?n=283155</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR><BR
clear=all>
<DIV><BR></DIV>-- <BR>Think simple!<BR></DIV></BLOCKQUOTE></BODY></HTML>