[IPsec] [off-topic] was Re: IPSec processing in linux kernel acting as a gateway

Thu, 17 Nov 2011 09:18:55 -0800 

On Thu, 17 Nov 2011, Prashant Batra (prbatra) wrote:


One basic question related to IPSec processing on gateway.
I have established IPSec tunnels between two gateway (gw1 and gw2). On gw1 I am 
using Linux kernel IPSec (a normal linux server which will act as gateway).
The SPD and SAD database on gw1 is-


This might be off-topic for this list?


gw1#ip xfrm policy


How did you create the policies? openswan? ipsec-tools? ip xfrm command?


Now I am trying to send data from host1(behind gw1) 172.16.80.1 to host2 
172.16.60.1 which is behind gw2.  But gw1 IPSec is not processing the packets-


You need to ensure your policy covers the subnets. In openswan terms that
is leftsubnet=172.16.80.0/24 and rightsubnet=172.16.80.0/24


host1#ping 172.16.60.1 -I 172.16.80.1


Again, using openswan you can specify leftsourceip= and rightsourceip= to change
the default of using the "nearest IP to destination" (which is the public ip not
covered by the net-to-net IPsec policies) so your applications do not need to
do anything special (like -I in ping)


Please correct me if I my understanding is wrong.


There are many things that can go wrong. Openswan provides the "ipsec verify" 
command
to test your system settings for forwarding, rp_filter, etc. Then you also need 
to ensure
you are not NATing packets, in your case:

iptables -I POSTROUTING -s 172.16.80.0/24 -d 172.16.60.0/24 -j RETURN

(and a mirrored rule on the other end)

If you are using the NETKEY stack, there is not much debugging you can
do, and tcpdump cannot show you outgoing encrypted packets (they are
encrypted after tcpdump can see them) so you should look on the other end
to see incoming ESP or UDP 4500 packets. If using the KLIPS ipsec stack,
you can tcpdump ipsec0 and eth0 seperately and see plaintext and crypted
packets normally.

If you are using openswan for your IKE daemon, please send any followups
to [email protected] as this list is meant for IETF IPsec protocol
discussions.

Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec






















					Reply via email to