Hi All,

I do not know if this is ok to ask here but i just want to have try....this is without using ipsec-tools

I am trying to set up simplest IPSec on my linux box, which has kernel 2.6.21.
I have configured kernel for IPSec.

I use iproute2 for setting SA and SP for the IPSec using:


#HOST A:192.168.77.24
ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth hmac(sha1) 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc cbc(aes) 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0

ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth hmac(sha1) 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc cbc(aes) 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0

ip xfrm policy add dir out src 192.168.77.23 dst 192.168.77.24 ptype main action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24 proto esp reqid 16385 mode transport

ip xfrm policy add dir in src 192.168.77.24 dst 192.168.77.23 ptype main action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23 proto esp reqid 16385 mode transport


#HOST B:192.168.77.23
ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth hmac(sha1) 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc cbc(aes) 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0

ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth hmac(sha1) 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc cbc(aes) 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0

ip xfrm policy add dir out src 192.168.77.24 dst 192.168.77.23 ptype main action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23 proto esp reqid 16385 mode transport

ip xfrm policy add dir in src 192.168.77.23 dst 192.168.77.24 ptype main action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24 proto esp reqid 16385 mode transport


here HOST A is my linux box.

I can check set values of SA and SP using


#ip x s

#ip xfrm policy show

and it shows correct values which i have set.

With this setting i expect IPSec should work and i should see ESP protocol packet on wireshark at host A when i ping host B.


But it shows simple icmp packet, instead of ESP. Ping work as usual without ESP.


I have checked same setting on my laptop with ubantu 12.04LTS with kernel 3.2 but shows the same result. On laptop i have checked configuration of kernel using #ipsec verify and it say all OK.


i do not know what else setting is missing. Any clue will be helpful.


Thanks in Advance.