Hi
I tried to setup ipsec tunnel on debian 6.0, following
http://www.ipsec-howto.org/x304.html using setkey/racoon
(ipsec-tools/racoon 0.7.3-12)
The diagram is like:
local-gw remote-gw
a.0/25 ---(a.126, xxx.3) <----Internet ---> (yyy.5, b.254) --->b.0/24
The /etc/ipsec-tools.conf on left side is:
spdadd a.0/25 b.0/24 any -P out ipsec
esp/tunnel/xxx.3-yyy.5/unique;
spdadd b.0/24 a.0/25 any -P in ipsec
esp/tunnel/yyy.5-xxx.3/unique;
The the racoon log showed the SA established OK
INFO: IPsec-SA established: ESP/Tunnel yyy.5[0]->xxx.3[0]
spi=217278943(0xcf369df)
IPsec-SA established: ESP/Tunnel xxx.3[500]->yyy.5[500]
spi=1868651708(0x6f615cbc)
But however the outgoing traffic from a.0/25 network seems go out
without using IPSec. ( incoming traffic from remote site is ok, using
the tshark it showed that ping from b.0/24 to a.0/25 use ESP )
according to: http://ipsec-tools.sourceforge.net/checklist.html
gateway's traffic goes from secure interface
This could be achieved by routing local traffic via internal
(secure) interface:
ip route add other.network/mask via default.gw src
gateway's.private.addr
or alternatively, it is possible to set up extra policies for
gateway-remote_networks, gateway-gateway and local_networks-gateway
traffic.
so I add
ip route add b.0/24 via xxx.3 src a.126
ip route show:
a.0/25 dev eth1 proto kernel scope link src a.126
b.0/24 via xxx.3 dev eth0 src a.126
default via xxx.1 dev eth0
But it still does NOT use IPsec to send out the outgoing traffic.
Anything could be wrong?
thanks
Min
