Thanks for exelent resource. But it contains one inacuracy:
- if we deal with 2.6.10+ kernel, fwd policies has to be present, but
they should not be inserted manually. ipsec-tools as of 0.5 version (and
rc2 for sure, do not remember about rc1 version) do insert/remove fwd
policies automatically when setkey's spdadd/spddelete for in policies is
executed (unless user has explicitly requested to operate in kernel mode
with command line switch -k). Trying to insert fwd policy when it was
already inserted automatically by setkey produce error messages. Trying
to insert in policies, which automatically generates fwd policies, after
these fwd policies are inserted, also should produce error message.
Also, fwd policies are required only for traffic which will be
_forwarded_ by the box on which they are setup. If traffic originates or
is destined at that box, fwd policies are not checked and therefore
useless (and therefore not set up automatically by ipsec-tools setkey
command). Fwd policies (no matter how inserted: manually or
automatically) are shown by setkey -DP command (regardless of mode, but
this may change in the future), so please check what it works as I
describe if you do not trust my word.
I did not find anywhere on ipsec-howto.org mentioning about kernel mode
switch, yet provided code sample implies that fwd policies needs to be
inserted manually. This misled at least one person (see Mirko Panciri's
mail to ipsec-tools-devel list). I do not include a patch for
documentation, as wording in English is not my strongest point, but
please, fix this inacuracy.
GM Consult Group, UAB
Get latest updates about Open Source Projects, Conferences and News.