#49 Uncrypt packet outgoing via wan interface

setkey
open
nobody
7
2010-12-03
2010-11-25
Benoit LORAND
No

Hi all,

I have installed two linux gateway with ipsec-tools. when i launch ping from one network to other, the first one encrypt packet in esp (view with tcpdump), the second uncrypt the packet but send this one via eth0 who is my wan interface. Where should i specifie on wich interface unencrypt packet should go.

first gateway :
#!/usr/sbin/setkey -f
#
#Flush SAD and SPD
flush;
spdflush;

#Create policies for racoon
spdadd 172.16.84.0/24 172.16.74.0/24 any -P out ipsec esp/tunnel/[ip_wan1]-[ip_wan2]/require;
spdadd 172.16.74.0/24 172.16.84.0/24 any -P in ipsec esp/tunnel/{ip_wan2]-[ip_wan1]/require;

second gateway :
#!/usr/sbin/setkey -f
#
#Flush SAD and SPD
flush;
spdflush;

#Create policies for racoon
spdadd 172.16.74.0/24 172.16.84.0/24 any -P out ipsec esp/tunnel/[ip_wan2]-[ip_wan1]/require;
spdadd 172.16.84.0/24 172.16.74.0/24 any -P in ipsec esp/tunnel/[ip_wan1]-[ip_wan2]/require;

Discussion

  • Benoit LORAND
    Benoit LORAND
    2010-12-03

     
    Attachments
  • Benoit LORAND
    Benoit LORAND
    2010-12-03

    On the screen attach we can see the problem. May someone have already see that. I was in 2.6.33 kernel, i have updated to 2.6.36.1 but no change.

     
  • Benoit LORAND
    Benoit LORAND
    2010-12-03

    • milestone: --> setkey
    • priority: 5 --> 7
     
  • Benoit LORAND
    Benoit LORAND
    2010-12-03

    Notice i have changed my ip destination in the setkey like :

    ipsec2 :
    #!/usr/sbin/setkey -f
    #
    #Flush SAD and SPD
    flush;
    spdflush;

    #Create policies for racoon
    spdadd 172.16.74.0/24 172.16.75.0/24 any -P out ipsec
    esp/tunnel/10.0.0.1-10.0.0.2/require;

    spdadd 172.16.75.0/24 172.16.74.0/24 any -P in ipsec
    esp/tunnel/10.0.0.2-10.0.0.1/require;

    ipsec3:

    #!/usr/sbin/setkey -f
    #
    #Flush SAD and SPD
    flush;
    spdflush;

    #Create policies for racoon
    spdadd 172.16.75.0/24 172.16.74.0/24 any -P out ipsec
    esp/tunnel/10.0.0.2-10.0.0.1/require;

    spdadd 172.16.74.0/24 172.16.75.0/24 any -P in ipsec
    esp/tunnel/10.0.0.1-10.0.0.2/require;