<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19190">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#0000ff size=2 face=Verdana>Dear Sirs,</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>I started the openswan and I dumped
the SPD as below.</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Why the policy rule is the
"esp/tunnel/111.243.153.86-111.243.149.34/<FONT
color=#ff0000><STRONG>unique#16385</STRONG><FONT color=#0000ff>" not
"........../<FONT color=#ff0000><STRONG>require</STRONG></FONT>"?How can I
change this rule on openswan?</FONT></FONT></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Best Regards,</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Ozai</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>192.168.1.0/24[any]
192.168.2.0/24[any] any<BR> out
ipsec<BR>
esp/tunnel/111.243.153.86-111.243.149.34/unique#16385<BR>
created: Jan 1 05:36:42 1970
lastused:<BR> lifetime: 0(s)
validtime: 0(s)<BR> spid=3369 seq=1
pid=31009<BR>
refcnt=1<BR>192.168.2.0/24[any] 192.168.1.0/24[any]
any<BR> fwd
ipsec<BR>
esp/tunnel/111.243.149.34-111.243.153.86/unique#16385<BR>
created: Jan 1 05:36:42 1970
lastused:<BR> lifetime: 0(s)
validtime: 0(s)<BR> spid=3386 seq=2
pid=31009<BR>
refcnt=1<BR>192.168.2.0/24[any] 192.168.1.0/24[any]
any<BR> in
ipsec<BR>
esp/tunnel/111.243.149.34-111.243.153.86/unique#16385<BR>
created: Jan 1 05:36:42 1970
lastused:<BR> lifetime: 0(s)
validtime: 0(s)<BR> spid=3376 seq=3
pid=31009<BR> refcnt=1<BR>(per-socket
policy)<BR> Policy:[Invalid
direciton]<BR> created: Jan 1
05:36:40 1970 lastused:<BR>
lifetime: 0(s) validtime: 0(s)<BR>
spid=3364 seq=4 pid=31009<BR>
refcnt=1<BR>(per-socket policy)<BR>
Policy:[Invalid direciton]<BR>
created: Jan 1 05:36:40 1970
lastused:<BR> lifetime: 0(s)
validtime: 0(s)<BR> spid=3355 seq=5
pid=31009<BR> refcnt=1<BR>(per-socket
policy)<BR> Policy:[Invalid
direciton]<BR> created: Jan 1
05:36:40 1970 lastused:<BR>
lifetime: 0(s) validtime: 0(s)<BR>
spid=3348 seq=6 pid=31009<BR>
refcnt=1<BR>(per-socket policy)<BR>
Policy:[Invalid direciton]<BR>
created: Jan 1 05:36:40 1970
lastused:<BR> lifetime: 0(s)
validtime: 0(s)<BR> spid=3339 seq=7
pid=31009<BR> refcnt=1<BR>(per-socket
policy)<BR> Policy:[Invalid
direciton]<BR> created: Jan 1
05:36:40 1970 lastused:<BR>
lifetime: 0(s) validtime: 0(s)<BR>
spid=3332 seq=8 pid=31009<BR>
refcnt=1<BR>(per-socket policy)<BR>
Policy:[Invalid direciton]<BR>
created: Jan 1 05:36:40 1970
lastused:<BR> lifetime: 0(s)
validtime: 0(s)<BR> spid=3323 seq=9
pid=31009<BR> refcnt=1<BR>(per-socket
policy)<BR> Policy:[Invalid
direciton]<BR> created: Jan 1
05:36:40 1970 lastused: Jan 1 05:36:42
1970<BR> lifetime: 0(s) validtime:
0(s)<BR> spid=3316 seq=10
pid=31009<BR> refcnt=1<BR>(per-socket
policy)<BR> Policy:[Invalid
direciton]<BR> created: Jan 1
05:36:40 1970 lastused: Jan 1 05:36:42
1970<BR> lifetime: 0(s) validtime:
0(s)<BR> spid=3307 seq=0
pid=31009<BR> refcnt=1</FONT></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #0000ff 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV style="FONT: 10pt 新細明體">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt 新細明體; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=tamtamis@gmail.com href="mailto:tamtamis@gmail.com">Panagiotis
Tamtamis</A> </DIV>
<DIV style="FONT: 10pt 新細明體"><B>To:</B> <A title=ozai.tien@gmail.com
href="mailto:ozai.tien@gmail.com">Ozai</A> </DIV>
<DIV style="FONT: 10pt 新細明體"><B>Cc:</B> <A title=paul@nohats.ca
href="mailto:paul@nohats.ca">Paul Wouters</A> ; <A title=users@openswan.org
href="mailto:users@openswan.org">users@openswan.org</A> </DIV>
<DIV style="FONT: 10pt 新細明體"><B>Sent:</B> Monday, March 19, 2012 6:53 PM</DIV>
<DIV style="FONT: 10pt 新細明體"><B>Subject:</B> Re: [Openswan Users] the packets
did not traffic under ESP tunnel on openswan</DIV>
<DIV><BR></DIV>settings SPD policies either by openswan or ipsec-tools all go
to the same direction, to the Linux kernel.
<DIV>So if you mess with the policies then you must know how they work.</DIV>
<DIV><BR></DIV>
<DIV>openswan sets policies to the kernel.</DIV>
<DIV>if you also set policies or delete policies (with spdflush) then you may
have problems.<BR><BR>
<DIV class=gmail_quote>2012/3/19 Ozai <SPAN dir=ltr><<A
href="mailto:ozai.tien@gmail.com">ozai.tien@gmail.com</A>></SPAN><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote><U></U>
<DIV bgcolor="#ffffff">
<DIV><FONT color=#0000ff face=Verdana>Dear Sirs,</FONT></DIV>
<DIV><FONT color=#0000ff face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff face=Verdana>I do not set any
policies SPD on openswan.The following setkey rules are just on
the ipsec-tool.You mean we do not need to set any policies on
openswan,right?How does openswan pass packets through the
tunnel?</FONT></DIV>
<DIV><FONT color=#0000ff face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff face=Verdana>Best Regards,</FONT></DIV>
<DIV><FONT color=#0000ff face=Verdana>Ozai</FONT></DIV>
<DIV>
<DIV class=h5>
<BLOCKQUOTE
style="BORDER-LEFT: #0000ff 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV>----- Original Message ----- </DIV>
<DIV><B>From:</B> <A title=tamtamis@gmail.com
href="mailto:tamtamis@gmail.com" target=_blank>Panagiotis Tamtamis</A>
</DIV>
<DIV><B>To:</B> <A title=ozai.tien@gmail.com
href="mailto:ozai.tien@gmail.com" target=_blank>Ozai</A> </DIV>
<DIV><B>Cc:</B> <A title=paul@nohats.ca href="mailto:paul@nohats.ca"
target=_blank>Paul Wouters</A> ; <A title=users@openswan.org
href="mailto:users@openswan.org" target=_blank>users@openswan.org</A>
</DIV>
<DIV><B>Sent:</B> Monday, March 19, 2012 4:44 PM</DIV>
<DIV><B>Subject:</B> Re: [Openswan Users] the packets did not traffic
under ESP tunnel on openswan</DIV>
<DIV><BR></DIV>openswan configures kernel with policies SPD in order to
pass packets through the tunnel.
<DIV>with spdflush I guess you delete all these rules.</DIV>
<DIV>openswan at minimum configures 3 SPD policies. in out fwd</DIV>
<DIV><BR></DIV>
<DIV>From your rules I miss the fwd rule.<BR><BR>
<DIV class=gmail_quote>2012/3/19 Ozai <SPAN dir=ltr><<A
href="mailto:ozai.tien@gmail.com"
target=_blank>ozai.tien@gmail.com</A>></SPAN><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>Dear Paul,<BR><BR>In ipsec-tool,we use the setkey to
manipulate the Security Policy Database(SPD) as IPSec policy.so
kernel can unserstand which packets need to traffic under ESP
tunnel,which packets do not need.the following is the setkey
configuration.<BR><BR>Do we have any policy control like ipsec-tool on
openswan?<BR><BR># cat setkey.conf<BR>flush;<BR>spdflush;<BR>spdadd <A
href="http://192.168.1.254/24" target=_blank>192.168.1.254/24</A> <A
href="http://192.168.1.254/24" target=_blank>192.168.1.254/24</A> any -P
out none;<BR>spdadd <A href="http://192.168.1.254/24"
target=_blank>192.168.1.254/24</A> <A href="http://192.168.1.254/24"
target=_blank>192.168.1.254/24</A> any -P in none;<BR>spdadd <A
href="http://192.168.1.0/24" target=_blank>192.168.1.0/24</A> <A
href="http://192.168.2.0/24" target=_blank>192.168.2.0/24</A> any -P out
ipsec esp/tunnel/220.229.43.164-111.<U></U>83.84.59/require;<BR>spdadd
<A href="http://192.168.2.0/24" target=_blank>192.168.2.0/24</A> <A
href="http://192.168.1.0/24" target=_blank>192.168.1.0/24</A> any -P in
ipsec esp/tunnel/111.83.84.59-220.<U></U>229.43.164/require;
<DIV><BR><BR>Best Regards,<BR>Ozai<BR>----- Original Message ----- From:
"Paul Wouters" <<A href="mailto:paul@nohats.ca"
target=_blank>paul@nohats.ca</A>><BR>To: "Ozai" <<A
href="mailto:ozai.tien@gmail.com"
target=_blank>ozai.tien@gmail.com</A>><BR>Cc: <<A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A>><BR></DIV>Sent: Monday, March
19, 2012 12:52 PM
<DIV>
<DIV><BR>Subject: Re: [Openswan Users] the packets did not traffic under
ESP tunnel on openswan<BR><BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>On Mon, 19 Mar 2012, Ozai wrote:<BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>It still did not work after adding your
suggestions.<BR>B can ping to A but A can not ping to B even from
device itself.<BR>I captured the packets by wireshark and found the
packets from A client always did not traffic under ESP tunnel.Do you
have any suggestion for us<BR></BLOCKQUOTE><BR>do the clients have the
ipsec gateway as default router? If not, they<BR>might need to get a
route for the remote subnet via the ipsec
gateway.<BR><BR>Paul<BR><BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote><BR>A client---------------openswan
gateway-----------------------<U></U>-------ipsec-tool
gateway---------------------B client<BR>192.168.1.2
192.168.1.1 111.243.152.132
111.243.156.217 192.168.2.254
192.168.2.1<BR><BR>Best Regards,<BR>Ozai<BR>-----
Original Message ----- From: "Paul Wouters" <<A
href="mailto:paul@nohats.ca"
target=_blank>paul@nohats.ca</A>><BR>To: "Ozai" <<A
href="mailto:ozai.tien@gmail.com"
target=_blank>ozai.tien@gmail.com</A>><BR>Cc: <<A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A>><BR>Sent: Saturday, March
17, 2012 11:01 PM<BR>Subject: Re: [Openswan Users] the packets did
not traffic under ESP tunnel on openswan<BR><BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>On Thu, 15 Mar 2012, Ozai wrote:<BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>I merged the openswan(2.6.37) into embedded
linux(mips) and tried to make the connection with another
ipsec<BR>system(ipsec-tools).The ESP tunnel can be built
successfully.I tried to ping private client from ipsec-tools
to<BR>openswan.It's OK.but from openswan to ipsec-tools,It's
failed.I found that from openswan to ipsec-tools,the packets
did<BR>not traffic under ESP tunnel.My settings are as
below.Please help me to correct my
procedure.thank's.<BR></BLOCKQUOTE><BR>Did you test from the
device itself? Did you ping -I ?<BR>Try
adding:<BR><BR> leftsourceip=111.243.152.132<BR>rightsourceip=111.243.156.217<BR><BR>Ensure
you are not NATing packes for/to the 192.168 ranges.<BR>Ensure you
have forwarding enabled, and rp_filter disabled<BR><BR>(if your
embedded system has perl, try "ipsec verify"<BR><BR>Paul
<BR></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE><BR>______________________________<U></U>_________________<BR><A
href="mailto:Users@lists.openswan.org"
target=_blank>Users@lists.openswan.org</A><BR><A
href="https://lists.openswan.org/mailman/listinfo/users"
target=_blank>https://lists.openswan.org/<U></U>mailman/listinfo/users</A><BR>Micropayments:
<A href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
target=_blank>https://flattr.com/thing/<U></U>38387/IPsec-for-Linux-made-<U></U>easy</A><BR>Building
and Integrating Virtual Private Networks with Openswan:<BR><A
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
target=_blank>http://www.amazon.com/gp/<U></U>product/1904811256/104-<U></U>3099591-2946327?n=283155</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR><BR
clear=all>
<DIV><BR></DIV>-- <BR>Think
simple!<BR></DIV></BLOCKQUOTE></DIV></DIV></DIV></BLOCKQUOTE></DIV><BR><BR
clear=all>
<DIV><BR></DIV>-- <BR>Think simple!<BR></DIV></BLOCKQUOTE></BODY></HTML>