Hello, strongSwan does not depend on setkey for the installatoin of IPsec policies. Our daemon creates them itself. If you use the mode auto=route then the first outbound IP packet will trigger the negotiation of an IPsec SA. If you install the policies using setkey then the daemon will not react on the trigger received from the IPsec stack in the Linux kernel.
Please have a look at our net2net-route example: http://www.strongswan.org/uml/testresults/ikev2/net2net-route/ Best regards Andreas On 04/11/2012 03:20 AM, nagaraj wrote: > Hi, I am trying to establish ESP tunnel between GW1 and GW2 and my ipsec > pre-shared key configuration on GW1 and GW2 is as follows: When I ping > the far end interface on Host A from Host B, I notice that ICMP packets > are not ESP encrypted and also ipsec status on both GW1 and GW2 reports > no SA associations. Could somebody please tell me if I am missing > something in here ? I am using strongswan ver 4.6.2 on both the > gateways. My kernel version on Gateway 1 is: [root@ex-target ~]# uname -a > Linux ex-target 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 > i686 i386 GNU/Linux > > and on Gateway 2, kernel version is: > root@gateway2:~# uname -a > Linux gateway2 2.6.32-40-server #87-Ubuntu SMP Tue Mar 6 02:10:02 UTC > 2012 x86_64 GNU/Linux > root@gateway2:~# > > root@gateway2:~# ipsec status > Security Associations (0 up, 0 connecting): > none > root@gateway2:~# > > HostA------------GW1==============GW2---------------HostB > > HostA: > ipadress: 192.167.2.2/24 <http://192.167.2.2/24> > > GW1: > ipaddress > etho: 192.167.2.180/24 <http://192.167.2.180/24> > eth1: 192.167.21.1/24 <http://192.167.21.1/24> > > GW2: > ipaddress > eth1: 192.167.21.2/24 <http://192.167.21.2/24> > eth0: 192.167.1.180/24 <http://192.167.1.180/24> > > HostB: > ipaddress 192.167.1.69/24 <http://192.167.1.69/24> > > *ipsec configuration on GW1:* > [root@ex-target etc]# more /usr/local/etc/ipsec.conf > #!/usr/sbin/setkey -f > > # Flush the SAD and SPD > flush; > spdflush; > > # ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) > # and authentication using 128 bit long keys > add 192.167.2.180 192.167.1.180 esp 0x201 -m tunnel -E 3des-cbc > 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 > -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; > > add 192.167.1.180 192.167.2.180 esp 0x301 -m tunnel -E 3des-cbc > 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df > -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; > > # Security policies > spdadd 172.16.1.0/24 <http://172.16.1.0/24> 172.16.2.0/24 > <http://172.16.2.0/24> any -P in ipsec > esp/tunnel/192.168.1.172-192.168.31.141/require; > > spdadd 172.16.2.0/24 <http://172.16.2.0/24> 172.16.1.0/24 > <http://172.16.1.0/24> any -P out ipsec > esp/tunnel/192.168.32.141-192.168.1.172/require; > > > spdadd 172.16.1.0/24 <http://172.16.1.0/24> 172.16.2.0/24 > <http://172.16.2.0/24> any -P fwd ipsec > esp/tunnel/192.168.1.172-192.168.31.141/require; > > spdadd 172.16.2.0/24 <http://172.16.2.0/24> 172.16.1.0/24 > <http://172.16.1.0/24> any -P rev ipsec > esp/tunnel/192.168.32.141-192.168.1.172/require; > > > spdadd 192.167.2.0/24 <http://192.167.2.0/24> 192.167.1.0/24 > <http://192.167.1.0/24> any -P out ipsec > esp/tunnel/192.167.21.1-192.167.21.2/require; > > spdadd 192.167.1.0/24 <http://192.167.1.0/24> 192.167.2.0/24 > <http://192.167.2.0/24> any -P in ipsec > esp/tunnel/192.167.21.2-192.167.21.1/require; > > > spdadd 192.167.2.0/24 <http://192.167.2.0/24> 192.167.1.0/24 > <http://192.167.1.0/24> any -P fwd ipsec > esp/tunnel/192.167.21.1-192.167.21.2/require; > > spdadd 192.167.1.0/24 <http://192.167.1.0/24> 192.167.2.0/24 > <http://192.167.2.0/24> any -P rev ipsec > esp/tunnel/192.167.21.2-192.167.21.1/require; > > # config setup > # cachecrli=yes > # strictcrlpolicy=yes > # plutostart=no > > conn net-net > leftsubnet=192.167.2.0/24 <http://192.167.2.0/24> > right=192.167.21.2 > rightsubnet=192.167.1.0/24 <http://192.167.1.0/24> > auto=add > [root@ex-target etc]# > > [root@ex-target etc]# more /usr/local/etc/ipsec.secrets > : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL > [root@ex-target etc]# > > *ipsec configuration on GW2:* > root@gateway2:~# more /usr/local/etc/ipsec.conf > # Flush the SAD and SPD > flush; > spdflush; > > # ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) > # and authentication using 128 bit long keys > add 192.167.21.2 192.167.21.1 esp 0x201 -m tunnel -E 3des-cbc > 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 > -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; > > add 192.167.21.1 192.167.21.2 esp 0x301 -m tunnel -E 3des-cbc > 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df > -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; > > spdadd 192.167.1.0/24 <http://192.167.1.0/24> 192.167.2.0/24 > <http://192.167.2.0/24> any -P out ipsec > esp/tunnel/192.167.21.2-192.167.21.1/require; > > spdadd 192.167.2.0/24 <http://192.167.2.0/24> 192.167.1.0/24 > <http://192.167.1.0/24> any -P in ipsec > esp/tunnel/192.167.21.1-192.167.21.2/require; > > > spdadd 192.167.1.0/24 <http://192.167.1.0/24> 192.167.2.0/24 > <http://192.167.2.0/24> any -P fwd ipsec > esp/tunnel/192.167.21.2-192.167.21.1/require; > > spdadd 192.167.2.0/24 <http://192.167.2.0/24> 192.167.1.0/24 > <http://192.167.1.0/24> any -P rev ipsec > esp/tunnel/192.167.21.1-192.167.21.2/require; > > conn net-net > leftsubnet=192.167.1.0/24 <http://192.167.1.0/24> > right=192.167.21.1 > rightsubnet=192.167.2.0/24 <http://192.167.2.0/24> > auto=add > root@gateway2:~# > root@gateway2:~# more /usr/local/etc/ipsec.secrets > : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL > root@gateway2:~# ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
