Thread: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

Status: Abandoned

Brought to you by: mit_warlord, netbsd

ipsec-tools-users

[Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: JALINDAR <jal...@gm...> - 2015-04-09 02:31:28

Attachments: ipsec_architecture.png

Hi All,

I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to connect two LAN.
LAN A and B.

Check the diagram for more details.
My setting are as below.
*Router A:*

# cat /etc/racoon.conf

path pre_shared_key "/etc/psk.txt" ;

listen {
isakmp 1.2.3.4   ;
strict_address ;
 }

remote 5.6.7.8 {

 exchange_mode main,base ;
 lifetime time 12 hour ;

 proposal {

  encryption_algorithm 3des ;
  hash_algorithm md5 ;
  authentication_method pre_shared_key ;
  dh_group 2 ;

  }
}

sainfo anonymous {

pfs_group 2 ;
lifetime time 12 hour;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;

}


# cat /etc/setkey.conf

#!/sbin/setkey -f
#flush SAD and SPD
flush;
spdflush;

#create polices from racoon
spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
esp/tunnel/1.2.3.4  -5.6.7.8/require;

spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/5.6.7.8-1.2.3.4  /require;

# cat /etc/psk.txt
#IPv4 Address
5.6.7.8   123456789

*Router B:*

# cat /etc/racoon.conf  path pre_shared_key "/etc/psk.txt" ;

listen {
isakmp 5.6.7.8   ;
 strict_address ;
 }

remote 1.2.3.4 {

 exchange_mode main,base ;
lifetime time 12 hour ;

 proposal {

  encryption_algorithm 3des ;
 hash_algorithm md5 ;
 authentication_method pre_shared_key ;
dh_group 2 ;

  }
 }

sainfo anonymous {

pfs_group 2 ;
lifetime time 12 hour;
 encryption_algorithm 3des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;

}

# cat /etc/setkey.conf
#!/sbin/setkey -f
#flush SAD and SPD

flush;
spdflush;

#create polices from racoon
spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
esp/tunnel/5.6.7.8  -1.2.3.4/require;

spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
esp/tunnel/1.2.3.4-5.6.7.8  /require;

# cat /etc/psk.txt
#IPv4 Address
1.2.3.4   123456789




Router A Lan
                                  Router B Lan      192.168.1.0/24
192.168.8.0/24
Gateway:
192.168.1.254
Gateway:192.168.8.254
      |_|_|_|______*Router A 1..2.3.4>>>>>internet<<<<<5.6.7.8 Router B*
______|_|_|_|



I can ping 192.168.1.254 gateway from 192.168.8.100  and similarly from
other side LAN network PC.

I can ping 192.168.1.100 from 192.168.8.254 OK and similarly from other
side.

I can open router management server web page  from LAN PC at other LAN
network.

But I can not ping 192.168.1.100 from 192.168.8.100 and reverse way. only
LAN gateways are reachable.
where as whole LAN should be reachable from other LAN.

am I missing some setting ?
Any good reference to the document which help to fix this.

thank you for help in advance.

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: Mick <mic...@gm...> - 2015-04-09 06:04:21

Attachments: signature.asc

On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> Hi All,
> 
> I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to connect two LAN.
> LAN A and B.
> 
> Check the diagram for more details.
> My setting are as below.
> *Router A:*
> 
> # cat /etc/racoon.conf
> 
> path pre_shared_key "/etc/psk.txt" ;
> 
> listen {
> isakmp 1.2.3.4   ;
> strict_address ;
>  }
> 
> remote 5.6.7.8 {
> 
>  exchange_mode main,base ;
>  lifetime time 12 hour ;
> 
>  proposal {
> 
>   encryption_algorithm 3des ;
>   hash_algorithm md5 ;
>   authentication_method pre_shared_key ;
>   dh_group 2 ;
> 
>   }
> }
> 
> sainfo anonymous {
> 
> pfs_group 2 ;
> lifetime time 12 hour;
> encryption_algorithm 3des ;
> authentication_algorithm hmac_md5 ;
> compression_algorithm deflate ;
> 
> }
> 
> 
> # cat /etc/setkey.conf
> 
> #!/sbin/setkey -f
> #flush SAD and SPD
> flush;
> spdflush;
> 
> #create polices from racoon
> spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> esp/tunnel/1.2.3.4  -5.6.7.8/require;

I assume this is a typo?  It should be:

  esp/tunnel/1.2.3.4-5.6.7.8/require;



> spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> esp/tunnel/5.6.7.8-1.2.3.4  /require;

This should also no have a space before "/require;"


> 
> # cat /etc/psk.txt
> #IPv4 Address
> 5.6.7.8   123456789
> 
> *Router B:*
> 
> # cat /etc/racoon.conf  path pre_shared_key "/etc/psk.txt" ;
> 
> listen {
> isakmp 5.6.7.8   ;
>  strict_address ;
>  }
> 
> remote 1.2.3.4 {
> 
>  exchange_mode main,base ;
> lifetime time 12 hour ;
> 
>  proposal {
> 
>   encryption_algorithm 3des ;
>  hash_algorithm md5 ;
>  authentication_method pre_shared_key ;
> dh_group 2 ;
> 
>   }
>  }
> 
> sainfo anonymous {
> 
> pfs_group 2 ;
> lifetime time 12 hour;
>  encryption_algorithm 3des ;
> authentication_algorithm hmac_md5 ;
> compression_algorithm deflate ;
> 
> }
> 
> # cat /etc/setkey.conf
> #!/sbin/setkey -f
> #flush SAD and SPD
> 
> flush;
> spdflush;
> 
> #create polices from racoon
> spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> esp/tunnel/5.6.7.8  -1.2.3.4/require;

Same as I commented above.


> spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> esp/tunnel/1.2.3.4-5.6.7.8  /require;

Same as I commented above.


> # cat /etc/psk.txt
> #IPv4 Address
> 1.2.3.4   123456789
> 
> 
> 
> 
> Router A Lan
>                                   Router B Lan      192.168.1.0/24
> 192.168.8.0/24
> Gateway:
> 192.168.1.254
> Gateway:192.168.8.254
> 
>       |_|_|_|______*Router A 1..2.3.4>>>>>internet<<<<<5.6.7.8 Router B*
> 
> ______|_|_|_|
> 
> 
> 
> I can ping 192.168.1.254 gateway from 192.168.8.100  and similarly from
> other side LAN network PC.
> 
> I can ping 192.168.1.100 from 192.168.8.254 OK and similarly from other
> side.
> 
> I can open router management server web page  from LAN PC at other LAN
> network.
> 
> But I can not ping 192.168.1.100 from 192.168.8.100 and reverse way. only
> LAN gateways are reachable.

This statement contradicts the previous regarding what you can ping and what 
not.  I assume that you cannot ping 192.168.8.100 from 192.168.1.100?


> where as whole LAN should be reachable from other LAN.
> 
> am I missing some setting ?

Check that Router B has been set up to allow ip forwarding; e.g.

sysclt -a | grep eth0.forwarding

net.ipv4.conf.eth0.forwarding = 1


also check that the firewall on Router B is similarly allowed to forward 
packets.

If not adjust accordingly.

-- 
Regards,
Mick

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: JALINDAR <jal...@gm...> - 2015-04-09 09:04:07

Hi Mick,

I tried your suggestion but result is same.

If there was setting issue then IPSec would not have worked at all.

 But it works. IPSec set to kernel. Lan devices can ping other Lan gateway,
 like 192.168.8.100 can ping 192.168.1.254 and reverse. But router or LAN
PC can not ping to other LAN PC.

Thanks
Jalindar



On Thu, Apr 9, 2015 at 2:03 PM, Mick <mic...@gm...> wrote:

> On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> > Hi All,
> >
> > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to connect two LAN.
> > LAN A and B.
> >
> > Check the diagram for more details.
> > My setting are as below.
> > *Router A:*
> >
> > # cat /etc/racoon.conf
> >
> > path pre_shared_key "/etc/psk.txt" ;
> >
> > listen {
> > isakmp 1.2.3.4   ;
> > strict_address ;
> >  }
> >
> > remote 5.6.7.8 {
> >
> >  exchange_mode main,base ;
> >  lifetime time 12 hour ;
> >
> >  proposal {
> >
> >   encryption_algorithm 3des ;
> >   hash_algorithm md5 ;
> >   authentication_method pre_shared_key ;
> >   dh_group 2 ;
> >
> >   }
> > }
> >
> > sainfo anonymous {
> >
> > pfs_group 2 ;
> > lifetime time 12 hour;
> > encryption_algorithm 3des ;
> > authentication_algorithm hmac_md5 ;
> > compression_algorithm deflate ;
> >
> > }
> >
> >
> > # cat /etc/setkey.conf
> >
> > #!/sbin/setkey -f
> > #flush SAD and SPD
> > flush;
> > spdflush;
> >
> > #create polices from racoon
> > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > esp/tunnel/1.2.3.4  -5.6.7.8/require;
>
> I assume this is a typo?  It should be:
>
>   esp/tunnel/1.2.3.4-5.6.7.8/require;
>
>
>
> > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > esp/tunnel/5.6.7.8-1.2.3.4  /require;
>
> This should also no have a space before "/require;"
>
>
> >
> > # cat /etc/psk.txt
> > #IPv4 Address
> > 5.6.7.8 123456789
> >
> > *Router B:*
> >
> > # cat /etc/racoon.conf  path pre_shared_key "/etc/psk.txt" ;
> >
> > listen {
> > isakmp 5.6.7.8   ;
> >  strict_address ;
> >  }
> >
> > remote 1.2.3.4 {
> >
> >  exchange_mode main,base ;
> > lifetime time 12 hour ;
> >
> >  proposal {
> >
> >   encryption_algorithm 3des ;
> >  hash_algorithm md5 ;
> >  authentication_method pre_shared_key ;
> > dh_group 2 ;
> >
> >   }
> >  }
> >
> > sainfo anonymous {
> >
> > pfs_group 2 ;
> > lifetime time 12 hour;
> >  encryption_algorithm 3des ;
> > authentication_algorithm hmac_md5 ;
> > compression_algorithm deflate ;
> >
> > }
> >
> > # cat /etc/setkey.conf
> > #!/sbin/setkey -f
> > #flush SAD and SPD
> >
> > flush;
> > spdflush;
> >
> > #create polices from racoon
> > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> > esp/tunnel/5.6.7.8  -1.2.3.4/require;
>
> Same as I commented above.
>
>
> > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> > esp/tunnel/1.2.3.4-5.6.7.8  /require;
>
> Same as I commented above.
>
>
> > # cat /etc/psk.txt
> > #IPv4 Address
> > 1.2.3.4 123456789
> >
> >
> >
> >
> > Router A Lan
> >                                   Router B Lan      192.168.1.0/24
> > 192.168.8.0/24
> > Gateway:
> > 192.168.1.254
> > Gateway:192.168.8.254
> >
> >       |_|_|_|______*Router A 1..2.3.4>>>>>internet<<<<<5.6.7.8 Router B*
> >
> > ______|_|_|_|
> >
> >
> >
> > I can ping 192.168.1.254 gateway from 192.168.8.100  and similarly from
> > other side LAN network PC.
> >
> > I can ping 192.168.1.100 from 192.168.8.254 OK and similarly from other
> > side.
> >
> > I can open router management server web page  from LAN PC at other LAN
> > network.
> >
> > But I can not ping 192.168.1.100 from 192.168.8.100 and reverse way. only
> > LAN gateways are reachable.
>
> This statement contradicts the previous regarding what you can ping and
> what
> not.  I assume that you cannot ping 192.168.8.100 from 192.168.1.100?
>
>
> > where as whole LAN should be reachable from other LAN.
> >
> > am I missing some setting ?
>
> Check that Router B has been set up to allow ip forwarding; e.g.
>
> sysclt -a | grep eth0.forwarding
>
> net.ipv4.conf.eth0.forwarding = 1
>
>
> also check that the firewall on Router B is similarly allowed to forward
> packets.
>
> If not adjust accordingly.
>
> --
> Regards,
> Mick
>

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: Mick <mic...@gm...> - 2015-04-09 19:51:19

Attachments: signature.asc

On Thursday 09 Apr 2015 10:03:19 you wrote:
> Hi Mick,
> 
> I tried your suggestion but result is same.
> 
> If there was setting issue then IPSec would not have worked at all.

Not necessarily, it could work partially.  You could be communicating with the 
gateway, but getting no further than that because the router does not forward 
packets to the subnet behind it.


>  But it works. IPSec set to kernel. Lan devices can ping other Lan gateway,
>  like 192.168.8.100 can ping 192.168.1.254 and reverse. But router or LAN
> PC can not ping to other LAN PC.

I understand.  You could check that ICMP packets actually leave the router 
towards the LAN PCs behind it; i.e. that the router processes and forwards 
incoming packets to PCs within its own LAN.  You can use tcpdump or wireshark 
for this.  You can also check if the LAN PCs receive these ICMP packets and 
not respond to them, or if they do not receive them at all.



> On Thu, Apr 9, 2015 at 2:03 PM, Mick <mic...@gm...> wrote:
> > On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> > > Hi All,
> > > 
> > > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to connect two LAN.
> > > LAN A and B.
> > > 
> > > Check the diagram for more details.
> > > My setting are as below.
> > > *Router A:*
> > > 
> > > # cat /etc/racoon.conf
> > > 
> > > path pre_shared_key "/etc/psk.txt" ;
> > > 
> > > listen {
> > > isakmp 1.2.3.4   ;
> > > strict_address ;
> > > 
> > >  }
> > > 
> > > remote 5.6.7.8 {
> > > 
> > >  exchange_mode main,base ;
> > >  lifetime time 12 hour ;
> > >  
> > >  proposal {
> > >  
> > >   encryption_algorithm 3des ;
> > >   hash_algorithm md5 ;
> > >   authentication_method pre_shared_key ;
> > >   dh_group 2 ;
> > >   
> > >   }
> > > 
> > > }
> > > 
> > > sainfo anonymous {
> > > 
> > > pfs_group 2 ;
> > > lifetime time 12 hour;
> > > encryption_algorithm 3des ;
> > > authentication_algorithm hmac_md5 ;
> > > compression_algorithm deflate ;
> > > 
> > > }
> > > 
> > > 
> > > # cat /etc/setkey.conf
> > > 
> > > #!/sbin/setkey -f
> > > #flush SAD and SPD
> > > flush;
> > > spdflush;
> > > 
> > > #create polices from racoon
> > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > esp/tunnel/1.2.3.4  -5.6.7.8/require;
> > 
> > I assume this is a typo?  It should be:
> >   esp/tunnel/1.2.3.4-5.6.7.8/require;
> >   
> > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > esp/tunnel/5.6.7.8-1.2.3.4  /require;
> > 
> > This should also no have a space before "/require;"
> > 
> > > # cat /etc/psk.txt
> > > #IPv4 Address
> > > 5.6.7.8 123456789
> > > 
> > > *Router B:*
> > > 
> > > # cat /etc/racoon.conf  path pre_shared_key "/etc/psk.txt" ;
> > > 
> > > listen {
> > > isakmp 5.6.7.8   ;
> > > 
> > >  strict_address ;
> > >  }
> > > 
> > > remote 1.2.3.4 {
> > > 
> > >  exchange_mode main,base ;
> > > 
> > > lifetime time 12 hour ;
> > > 
> > >  proposal {
> > >  
> > >   encryption_algorithm 3des ;
> > >  
> > >  hash_algorithm md5 ;
> > >  authentication_method pre_shared_key ;
> > > 
> > > dh_group 2 ;
> > > 
> > >   }
> > >  
> > >  }
> > > 
> > > sainfo anonymous {
> > > 
> > > pfs_group 2 ;
> > > lifetime time 12 hour;
> > > 
> > >  encryption_algorithm 3des ;
> > > 
> > > authentication_algorithm hmac_md5 ;
> > > compression_algorithm deflate ;
> > > 
> > > }
> > > 
> > > # cat /etc/setkey.conf
> > > #!/sbin/setkey -f
> > > #flush SAD and SPD
> > > 
> > > flush;
> > > spdflush;
> > > 
> > > #create polices from racoon
> > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> > > esp/tunnel/5.6.7.8  -1.2.3.4/require;
> > 
> > Same as I commented above.
> > 
> > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> > > esp/tunnel/1.2.3.4-5.6.7.8  /require;
> > 
> > Same as I commented above.
> > 
> > > # cat /etc/psk.txt
> > > #IPv4 Address
> > > 1.2.3.4 123456789
> > > 
> > > 
> > > 
> > > 
> > > Router A Lan
> > > 
> > >                                   Router B Lan      192.168.1.0/24
> > > 
> > > 192.168.8.0/24
> > > Gateway:
> > > 192.168.1.254
> > > Gateway:192.168.8.254
> > > 
> > >       |_|_|_|______*Router A 1..2.3.4>>>>>internet<<<<<5.6.7.8 Router
> > >       |B*
> > > 
> > > ______|_|_|_|
> > > 
> > > 
> > > 
> > > I can ping 192.168.1.254 gateway from 192.168.8.100  and similarly from
> > > other side LAN network PC.
> > > 
> > > I can ping 192.168.1.100 from 192.168.8.254 OK and similarly from other
> > > side.
> > > 
> > > I can open router management server web page  from LAN PC at other LAN
> > > network.
> > > 
> > > But I can not ping 192.168.1.100 from 192.168.8.100 and reverse way.
> > > only LAN gateways are reachable.
> > 
> > This statement contradicts the previous regarding what you can ping and
> > what
> > not.  I assume that you cannot ping 192.168.8.100 from 192.168.1.100?
> > 
> > > where as whole LAN should be reachable from other LAN.
> > > 
> > > am I missing some setting ?
> > 
> > Check that Router B has been set up to allow ip forwarding; e.g.
> > 
> > sysclt -a | grep eth0.forwarding
> > 
> > net.ipv4.conf.eth0.forwarding = 1
> > 
> > 
> > also check that the firewall on Router B is similarly allowed to forward
> > packets.
> > 
> > If not adjust accordingly.
> > 
> > --
> > Regards,
> > Mick

-- 
Regards,
Mick

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: JALINDAR <jal...@gm...> - 2015-04-21 11:17:47

Hi Mick,

Ok that help me to tab the issue but I would like to divide this issue into
three,  for fixing it:

1.* raccon:* As IKE is working all ok and IPSec is set to kernel, it should
not have any issue.
and anyway its role is to keyexchange and not much into actual IPSec ,
which kernel has to do.

2. *setkey :* SPD setting should be ok

3. *linux Kernel: *IPSec setting of kernel should not be ok.

from my conclusion , it seems like I have something either missing or in
error inside Linux kernel.
As I know IPSec do not need any special routing to work.

Is my conclusion is correct ?

if yes then is there any document which says what detailed kernel modules
needed for IPSec.
like in netfilter mangle table needed ??

I am using linux kernel 2.6.21.x


Thanks
Jalindar




On Fri, Apr 10, 2015 at 3:50 AM, Mick <mic...@gm...> wrote:

> On Thursday 09 Apr 2015 10:03:19 you wrote:
> > Hi Mick,
> >
> > I tried your suggestion but result is same.
> >
> > If there was setting issue then IPSec would not have worked at all.
>
> Not necessarily, it could work partially.  You could be communicating with
> the
> gateway, but getting no further than that because the router does not
> forward
> packets to the subnet behind it.
>
>
> >  But it works. IPSec set to kernel. Lan devices can ping other Lan
> gateway,
> >  like 192.168.8.100 can ping 192.168.1.254 and reverse. But router or LAN
> > PC can not ping to other LAN PC.
>
> I understand.  You could check that ICMP packets actually leave the router
> towards the LAN PCs behind it; i.e. that the router processes and forwards
> incoming packets to PCs within its own LAN.  You can use tcpdump or
> wireshark
> for this.  You can also check if the LAN PCs receive these ICMP packets and
> not respond to them, or if they do not receive them at all.
>
>
>
> > On Thu, Apr 9, 2015 at 2:03 PM, Mick <mic...@gm...> wrote:
> > > On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> > > > Hi All,
> > > >
> > > > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to connect two
> LAN.
> > > > LAN A and B.
> > > >
> > > > Check the diagram for more details.
> > > > My setting are as below.
> > > > *Router A:*
> > > >
> > > > # cat /etc/racoon.conf
> > > >
> > > > path pre_shared_key "/etc/psk.txt" ;
> > > >
> > > > listen {
> > > > isakmp 1.2.3.4   ;
> > > > strict_address ;
> > > >
> > > >  }
> > > >
> > > > remote 5.6.7.8 {
> > > >
> > > >  exchange_mode main,base ;
> > > >  lifetime time 12 hour ;
> > > >
> > > >  proposal {
> > > >
> > > >   encryption_algorithm 3des ;
> > > >   hash_algorithm md5 ;
> > > >   authentication_method pre_shared_key ;
> > > >   dh_group 2 ;
> > > >
> > > >   }
> > > >
> > > > }
> > > >
> > > > sainfo anonymous {
> > > >
> > > > pfs_group 2 ;
> > > > lifetime time 12 hour;
> > > > encryption_algorithm 3des ;
> > > > authentication_algorithm hmac_md5 ;
> > > > compression_algorithm deflate ;
> > > >
> > > > }
> > > >
> > > >
> > > > # cat /etc/setkey.conf
> > > >
> > > > #!/sbin/setkey -f
> > > > #flush SAD and SPD
> > > > flush;
> > > > spdflush;
> > > >
> > > > #create polices from racoon
> > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > > esp/tunnel/1.2.3.4  -5.6.7.8/require;
> > >
> > > I assume this is a typo?  It should be:
> > >   esp/tunnel/1.2.3.4-5.6.7.8/require;
> > >
> > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > > esp/tunnel/5.6.7.8-1.2.3.4  /require;
> > >
> > > This should also no have a space before "/require;"
> > >
> > > > # cat /etc/psk.txt
> > > > #IPv4 Address
> > > > 5.6.7.8 123456789
> > > >
> > > > *Router B:*
> > > >
> > > > # cat /etc/racoon.conf  path pre_shared_key "/etc/psk.txt" ;
> > > >
> > > > listen {
> > > > isakmp 5.6.7.8   ;
> > > >
> > > >  strict_address ;
> > > >  }
> > > >
> > > > remote 1.2.3.4 {
> > > >
> > > >  exchange_mode main,base ;
> > > >
> > > > lifetime time 12 hour ;
> > > >
> > > >  proposal {
> > > >
> > > >   encryption_algorithm 3des ;
> > > >
> > > >  hash_algorithm md5 ;
> > > >  authentication_method pre_shared_key ;
> > > >
> > > > dh_group 2 ;
> > > >
> > > >   }
> > > >
> > > >  }
> > > >
> > > > sainfo anonymous {
> > > >
> > > > pfs_group 2 ;
> > > > lifetime time 12 hour;
> > > >
> > > >  encryption_algorithm 3des ;
> > > >
> > > > authentication_algorithm hmac_md5 ;
> > > > compression_algorithm deflate ;
> > > >
> > > > }
> > > >
> > > > # cat /etc/setkey.conf
> > > > #!/sbin/setkey -f
> > > > #flush SAD and SPD
> > > >
> > > > flush;
> > > > spdflush;
> > > >
> > > > #create polices from racoon
> > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> > > > esp/tunnel/5.6.7.8  -1.2.3.4/require;
> > >
> > > Same as I commented above.
> > >
> > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> > > > esp/tunnel/1.2.3.4-5.6.7.8  /require;
> > >
> > > Same as I commented above.
> > >
> > > > # cat /etc/psk.txt
> > > > #IPv4 Address
> > > > 1.2.3.4 123456789
> > > >
> > > >
> > > >
> > > >
> > > > Router A Lan
> > > >
> > > >                                   Router B Lan      192.168.1.0/24
> > > >
> > > > 192.168.8.0/24
> > > > Gateway:
> > > > 192.168.1.254
> > > > Gateway:192.168.8.254
> > > >
> > > >       |_|_|_|______*Router A 1..2.3.4>>>>>internet<<<<<5.6.7.8 Router
> > > >       |B*
> > > >
> > > > ______|_|_|_|
> > > >
> > > >
> > > >
> > > > I can ping 192.168.1.254 gateway from 192.168.8.100  and similarly
> from
> > > > other side LAN network PC.
> > > >
> > > > I can ping 192.168.1.100 from 192.168.8.254 OK and similarly from
> other
> > > > side.
> > > >
> > > > I can open router management server web page  from LAN PC at other
> LAN
> > > > network.
> > > >
> > > > But I can not ping 192.168.1.100 from 192.168.8.100 and reverse way.
> > > > only LAN gateways are reachable.
> > >
> > > This statement contradicts the previous regarding what you can ping and
> > > what
> > > not.  I assume that you cannot ping 192.168.8.100 from 192.168.1.100?
> > >
> > > > where as whole LAN should be reachable from other LAN.
> > > >
> > > > am I missing some setting ?
> > >
> > > Check that Router B has been set up to allow ip forwarding; e.g.
> > >
> > > sysclt -a | grep eth0.forwarding
> > >
> > > net.ipv4.conf.eth0.forwarding = 1
> > >
> > >
> > > also check that the firewall on Router B is similarly allowed to
> forward
> > > packets.
> > >
> > > If not adjust accordingly.
> > >
> > > --
> > > Regards,
> > > Mick
>
> --
> Regards,
> Mick
>

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: Mick <mic...@gm...> - 2015-04-21 19:08:40

Attachments: signature.asc

Yes, racoon and IPSec work fine, since you can establish a tunnel between the 
two peers.

You can check that the ESP tunnel is configured correctly to connect the two 
LANs by studying the output of:

 setkey -DP

This should show SAs created for in/out/fwd.

Also check the output of your syslog.

Then from my previous suggestion you have checked that the kernel is 
configured to forward packets, according to sysctl.

What is left is to check that:

1. ICMP packets are forwarded from the remote peer to the LAN PCs behind it.

2. That ICMP packets are received by the PCs in the remote LAN and responded 
to.  These PCs may be have been configured to only respond to ICMP requests 
from IP addresses in their own local subnet, or not respond to ICMP packets at 
all.

Have you performed these checks and what have you found out?

Kernel version 2.6.21 is rather old, like 8 years old!  You should update this 
to a more recent kernel regardless, although I suspect that it is not related 
to your problem.



On Tuesday 21 Apr 2015 12:17:00 you wrote:
> Hi Mick,
> 
> Ok that help me to tab the issue but I would like to divide this issue into
> three,  for fixing it:
> 
> 1.* raccon:* As IKE is working all ok and IPSec is set to kernel, it should
> not have any issue.
> and anyway its role is to keyexchange and not much into actual IPSec ,
> which kernel has to do.
> 
> 2. *setkey :* SPD setting should be ok
> 
> 3. *linux Kernel: *IPSec setting of kernel should not be ok.
> 
> from my conclusion , it seems like I have something either missing or in
> error inside Linux kernel.
> As I know IPSec do not need any special routing to work.
> 
> Is my conclusion is correct ?
> 
> if yes then is there any document which says what detailed kernel modules
> needed for IPSec.
> like in netfilter mangle table needed ??
> 
> I am using linux kernel 2.6.21.x
> 
> 
> Thanks
> Jalindar
> 
> On Fri, Apr 10, 2015 at 3:50 AM, Mick <mic...@gm...> wrote:
> > On Thursday 09 Apr 2015 10:03:19 you wrote:
> > > Hi Mick,
> > > 
> > > I tried your suggestion but result is same.
> > > 
> > > If there was setting issue then IPSec would not have worked at all.
> > 
> > Not necessarily, it could work partially.  You could be communicating
> > with the
> > gateway, but getting no further than that because the router does not
> > forward
> > packets to the subnet behind it.
> > 
> > >  But it works. IPSec set to kernel. Lan devices can ping other Lan
> > 
> > gateway,
> > 
> > >  like 192.168.8.100 can ping 192.168.1.254 and reverse. But router or
> > >  LAN
> > > 
> > > PC can not ping to other LAN PC.
> > 
> > I understand.  You could check that ICMP packets actually leave the
> > router towards the LAN PCs behind it; i.e. that the router processes and
> > forwards incoming packets to PCs within its own LAN.  You can use
> > tcpdump or wireshark
> > for this.  You can also check if the LAN PCs receive these ICMP packets
> > and not respond to them, or if they do not receive them at all.
> > 
> > > On Thu, Apr 9, 2015 at 2:03 PM, Mick <mic...@gm...> wrote:
> > > > On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> > > > > Hi All,
> > > > > 
> > > > > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to connect two
> > 
> > LAN.
> > 
> > > > > LAN A and B.
> > > > > 
> > > > > Check the diagram for more details.
> > > > > My setting are as below.
> > > > > *Router A:*
> > > > > 
> > > > > # cat /etc/racoon.conf
> > > > > 
> > > > > path pre_shared_key "/etc/psk.txt" ;
> > > > > 
> > > > > listen {
> > > > > isakmp 1.2.3.4   ;
> > > > > strict_address ;
> > > > > 
> > > > >  }
> > > > > 
> > > > > remote 5.6.7.8 {
> > > > > 
> > > > >  exchange_mode main,base ;
> > > > >  lifetime time 12 hour ;
> > > > >  
> > > > >  proposal {
> > > > >  
> > > > >   encryption_algorithm 3des ;
> > > > >   hash_algorithm md5 ;
> > > > >   authentication_method pre_shared_key ;
> > > > >   dh_group 2 ;
> > > > >   
> > > > >   }
> > > > > 
> > > > > }
> > > > > 
> > > > > sainfo anonymous {
> > > > > 
> > > > > pfs_group 2 ;
> > > > > lifetime time 12 hour;
> > > > > encryption_algorithm 3des ;
> > > > > authentication_algorithm hmac_md5 ;
> > > > > compression_algorithm deflate ;
> > > > > 
> > > > > }
> > > > > 
> > > > > 
> > > > > # cat /etc/setkey.conf
> > > > > 
> > > > > #!/sbin/setkey -f
> > > > > #flush SAD and SPD
> > > > > flush;
> > > > > spdflush;
> > > > > 
> > > > > #create polices from racoon
> > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > > > esp/tunnel/1.2.3.4  -5.6.7.8/require;
> > > > 
> > > > I assume this is a typo?  It should be:
> > > >   esp/tunnel/1.2.3.4-5.6.7.8/require;
> > > >   
> > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > > > esp/tunnel/5.6.7.8-1.2.3.4  /require;
> > > > 
> > > > This should also no have a space before "/require;"
> > > > 
> > > > > # cat /etc/psk.txt
> > > > > #IPv4 Address
> > > > > 5.6.7.8 123456789
> > > > > 
> > > > > *Router B:*
> > > > > 
> > > > > # cat /etc/racoon.conf  path pre_shared_key "/etc/psk.txt" ;
> > > > > 
> > > > > listen {
> > > > > isakmp 5.6.7.8   ;
> > > > > 
> > > > >  strict_address ;
> > > > >  }
> > > > > 
> > > > > remote 1.2.3.4 {
> > > > > 
> > > > >  exchange_mode main,base ;
> > > > > 
> > > > > lifetime time 12 hour ;
> > > > > 
> > > > >  proposal {
> > > > >  
> > > > >   encryption_algorithm 3des ;
> > > > >  
> > > > >  hash_algorithm md5 ;
> > > > >  authentication_method pre_shared_key ;
> > > > > 
> > > > > dh_group 2 ;
> > > > > 
> > > > >   }
> > > > >  
> > > > >  }
> > > > > 
> > > > > sainfo anonymous {
> > > > > 
> > > > > pfs_group 2 ;
> > > > > lifetime time 12 hour;
> > > > > 
> > > > >  encryption_algorithm 3des ;
> > > > > 
> > > > > authentication_algorithm hmac_md5 ;
> > > > > compression_algorithm deflate ;
> > > > > 
> > > > > }
> > > > > 
> > > > > # cat /etc/setkey.conf
> > > > > #!/sbin/setkey -f
> > > > > #flush SAD and SPD
> > > > > 
> > > > > flush;
> > > > > spdflush;
> > > > > 
> > > > > #create polices from racoon
> > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> > > > > esp/tunnel/5.6.7.8  -1.2.3.4/require;
> > > > 
> > > > Same as I commented above.
> > > > 
> > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> > > > > esp/tunnel/1.2.3.4-5.6.7.8  /require;
> > > > 
> > > > Same as I commented above.
> > > > 
> > > > > # cat /etc/psk.txt
> > > > > #IPv4 Address
> > > > > 1.2.3.4 123456789
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Router A Lan
> > > > > 
> > > > >                                   Router B Lan      192.168.1.0/24
> > > > > 
> > > > > 192.168.8.0/24
> > > > > Gateway:
> > > > > 192.168.1.254
> > > > > Gateway:192.168.8.254
> > > > > 
> > > > >       |_|_|_|______*Router A 1..2.3.4>>>>>internet<<<<<5.6.7.8
> > > > >       |Router B*
> > > > > 
> > > > > ______|_|_|_|
> > > > > 
> > > > > 
> > > > > 
> > > > > I can ping 192.168.1.254 gateway from 192.168.8.100  and similarly
> > 
> > from
> > 
> > > > > other side LAN network PC.
> > > > > 
> > > > > I can ping 192.168.1.100 from 192.168.8.254 OK and similarly from
> > 
> > other
> > 
> > > > > side.
> > > > > 
> > > > > I can open router management server web page  from LAN PC at other
> > 
> > LAN
> > 
> > > > > network.
> > > > > 
> > > > > But I can not ping 192.168.1.100 from 192.168.8.100 and reverse
> > > > > way. only LAN gateways are reachable.
> > > > 
> > > > This statement contradicts the previous regarding what you can ping
> > > > and what
> > > > not.  I assume that you cannot ping 192.168.8.100 from 192.168.1.100?
> > > > 
> > > > > where as whole LAN should be reachable from other LAN.
> > > > > 
> > > > > am I missing some setting ?
> > > > 
> > > > Check that Router B has been set up to allow ip forwarding; e.g.
> > > > 
> > > > sysclt -a | grep eth0.forwarding
> > > > 
> > > > net.ipv4.conf.eth0.forwarding = 1
> > > > 
> > > > 
> > > > also check that the firewall on Router B is similarly allowed to
> > 
> > forward
> > 
> > > > packets.
> > > > 
> > > > If not adjust accordingly.
> > > > 
> > > > --
> > > > Regards,
> > > > Mick
> > 
> > --
> > Regards,
> > Mick

-- 
Regards,
Mick

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: JALINDAR <jal...@gm...> - 2015-04-22 07:05:50

Hi Mick,

Yes , I was suspecting regarding setkey policy setting. My check using
#setkey -DP find no forwarding policy.
But I think forwarding policy should be there,am I right ?

At Router A :

WAN INTERFACE :  192.168.3.11
WAN GATEWAY   :  192.168.3.10

LAN    N/W ADDRESS : 192.168.1.0/24
LAN GATEWAY           : 192.168.1.254

##without racoon running

# setkey -DP
192.168.8.0/24[any] 192.168.1.0/24[any] any
        in prio def ipsec
        esp/tunnel/192.168.2.11-192.168.3.11/require
        created: Jan  1 00:35:55 2000  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=40 seq=1 pid=1948
        refcnt=1
192.168.1.0/24[any] 192.168.8.0/24[any] any
        out prio def ipsec
        esp/tunnel/192.168.3.11-192.168.2.11/require
        created: Jan  1 00:35:55 2000  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=33 seq=0 pid=1948
        refcnt=1


##with racoon running

# setkey -DP
192.168.8.0/24[any] 192.168.1.0/24[any] any
        in prio def ipsec
        esp/tunnel/192.168.2.11-192.168.3.11/require
        created: Jan  1 00:35:55 2000  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=40 seq=1 pid=2522
        refcnt=1
192.168.1.0/24[any] 192.168.8.0/24[any] any
        out prio def ipsec
        esp/tunnel/192.168.3.11-192.168.2.11/require
        created: Jan  1 00:35:55 2000  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=33 seq=2 pid=2522
        refcnt=1
(per-socket policy)
        in none
        created: Jan  1 00:37:16 2000  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=51 seq=3 pid=2522
        refcnt=1
(per-socket policy)
        out none
        created: Jan  1 00:37:16 2000  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=60 seq=0 pid=2522
        refcnt=1


For /etc/setkey.conf file below:

# cat /etc/setkey.conf

#!/sbin/setkey -f

#flush SAD and SPD

flush;

spdflush;



#create polices from racoon

spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec

esp/tunnel/192.168.3.11-192.168.2.11/require;



spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec

esp/tunnel/192.168.2.11-192.168.3.11/require;

*I test using adding :*

*spdadd 192.168.8.0/24 <http://192.168.8.0/24> 192.168.1.0/24
<http://192.168.1.0/24> any -P fwd ipsec*

*esp/tunnel/192.168.2.11-192.168.3.11/require;*

output of #setkey -f /etc/setkey.conf with forward policy is

The result of line 14: File exists.

this line 14 is second line of the forward policy added
 But some documents like this one:

http://www.ipsec-howto.org/x304.html

says :

*Attention: When using the Linux kernel >= 2.6.10 you also have to define
the forward policy if packets need to be fowarded by the box. Just make
sure you use the ipsec-tools 0.5 which add this policy automatically or add
it yourself if using older tools. If you are running setkey in Kernel-mode
(-k) you have to add the fwd-policy manually, too.*

*spdadd 172.16.2.0/24 <http://172.16.2.0/24> 172.16.1.0/24
<http://172.16.1.0/24> any -P fwd ipsec
           esp/tunnel/192.168.2.100-192.168.1.100/require;*
	

As I am using ipsec-tools 0.6.6 , I expect no need to include this
forward policy in setkey.

but it is missing in #setkey -DP

Anything wrong with setkey settings ??

My packet scan is going on and I found ping from LAN PC goes to other
router(ESP packet) if

I add:

*#iptables -t NAT -I POSTROUTING --dst 192.168.8.0/24
<http://192.168.8.0/24> -j SNAT --to-source 192.168.1.254*

in router with 192.168.1.254 LAN gateway and remote LAN address 192.168.8.0/24 .

that make me specious of my net-filter broken or not complete needed for IPSec.

is that correct ?


What is left is to check that:

1. ICMP packets are forwarded from the remote peer to the LAN PCs behind it.

>>ICMP packet goes to remote router from LAN PC but remote router do not
forward it to LAN
I can see ESP packet both direction but at LAN PC no ICMP response received
to request.

How can I fix it ? is it router problem or IPSec or net-filter ?

2. That ICMP packets are received by the PCs in the remote LAN and responded
to.  These PCs may be have been configured to only respond to ICMP requests
from IP addresses in their own local subnet, or not respond to ICMP packets
at
all.

>>ICMP packet is received by remote router but it do not forward it to LAN
PC.

Thanks
Jalindar


On Wed, Apr 22, 2015 at 3:08 AM, Mick <mic...@gm...> wrote:

> Yes, racoon and IPSec work fine, since you can establish a tunnel between
> the
> two peers.
>
> You can check that the ESP tunnel is configured correctly to connect the
> two
> LANs by studying the output of:
>
>  setkey -DP
>
> This should show SAs created for in/out/fwd.
>
> Also check the output of your syslog.
>
> Then from my previous suggestion you have checked that the kernel is
> configured to forward packets, according to sysctl.
>
> What is left is to check that:
>
> 1. ICMP packets are forwarded from the remote peer to the LAN PCs behind
> it.
>
> 2. That ICMP packets are received by the PCs in the remote LAN and
> responded
> to.  These PCs may be have been configured to only respond to ICMP requests
> from IP addresses in their own local subnet, or not respond to ICMP
> packets at
> all.
>
> Have you performed these checks and what have you found out?
>
> Kernel version 2.6.21 is rather old, like 8 years old!  You should update
> this
> to a more recent kernel regardless, although I suspect that it is not
> related
> to your problem.
>
>
>
> On Tuesday 21 Apr 2015 12:17:00 you wrote:
> > Hi Mick,
> >
> > Ok that help me to tab the issue but I would like to divide this issue
> into
> > three,  for fixing it:
> >
> > 1.* raccon:* As IKE is working all ok and IPSec is set to kernel, it
> should
> > not have any issue.
> > and anyway its role is to keyexchange and not much into actual IPSec ,
> > which kernel has to do.
> >
> > 2. *setkey :* SPD setting should be ok
> >
> > 3. *linux Kernel: *IPSec setting of kernel should not be ok.
> >
> > from my conclusion , it seems like I have something either missing or in
> > error inside Linux kernel.
> > As I know IPSec do not need any special routing to work.
> >
> > Is my conclusion is correct ?
> >
> > if yes then is there any document which says what detailed kernel modules
> > needed for IPSec.
> > like in netfilter mangle table needed ??
> >
> > I am using linux kernel 2.6.21.x
> >
> >
> > Thanks
> > Jalindar
> >
> > On Fri, Apr 10, 2015 at 3:50 AM, Mick <mic...@gm...> wrote:
> > > On Thursday 09 Apr 2015 10:03:19 you wrote:
> > > > Hi Mick,
> > > >
> > > > I tried your suggestion but result is same.
> > > >
> > > > If there was setting issue then IPSec would not have worked at all.
> > >
> > > Not necessarily, it could work partially.  You could be communicating
> > > with the
> > > gateway, but getting no further than that because the router does not
> > > forward
> > > packets to the subnet behind it.
> > >
> > > >  But it works. IPSec set to kernel. Lan devices can ping other Lan
> > >
> > > gateway,
> > >
> > > >  like 192.168.8.100 can ping 192.168.1.254 and reverse. But router or
> > > >  LAN
> > > >
> > > > PC can not ping to other LAN PC.
> > >
> > > I understand.  You could check that ICMP packets actually leave the
> > > router towards the LAN PCs behind it; i.e. that the router processes
> and
> > > forwards incoming packets to PCs within its own LAN.  You can use
> > > tcpdump or wireshark
> > > for this.  You can also check if the LAN PCs receive these ICMP packets
> > > and not respond to them, or if they do not receive them at all.
> > >
> > > > On Thu, Apr 9, 2015 at 2:03 PM, Mick <mic...@gm...>
> wrote:
> > > > > On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> > > > > > Hi All,
> > > > > >
> > > > > > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to connect
> two
> > >
> > > LAN.
> > >
> > > > > > LAN A and B.
> > > > > >
> > > > > > Check the diagram for more details.
> > > > > > My setting are as below.
> > > > > > *Router A:*
> > > > > >
> > > > > > # cat /etc/racoon.conf
> > > > > >
> > > > > > path pre_shared_key "/etc/psk.txt" ;
> > > > > >
> > > > > > listen {
> > > > > > isakmp 1.2.3.4   ;
> > > > > > strict_address ;
> > > > > >
> > > > > >  }
> > > > > >
> > > > > > remote 5.6.7.8 {
> > > > > >
> > > > > >  exchange_mode main,base ;
> > > > > >  lifetime time 12 hour ;
> > > > > >
> > > > > >  proposal {
> > > > > >
> > > > > >   encryption_algorithm 3des ;
> > > > > >   hash_algorithm md5 ;
> > > > > >   authentication_method pre_shared_key ;
> > > > > >   dh_group 2 ;
> > > > > >
> > > > > >   }
> > > > > >
> > > > > > }
> > > > > >
> > > > > > sainfo anonymous {
> > > > > >
> > > > > > pfs_group 2 ;
> > > > > > lifetime time 12 hour;
> > > > > > encryption_algorithm 3des ;
> > > > > > authentication_algorithm hmac_md5 ;
> > > > > > compression_algorithm deflate ;
> > > > > >
> > > > > > }
> > > > > >
> > > > > >
> > > > > > # cat /etc/setkey.conf
> > > > > >
> > > > > > #!/sbin/setkey -f
> > > > > > #flush SAD and SPD
> > > > > > flush;
> > > > > > spdflush;
> > > > > >
> > > > > > #create polices from racoon
> > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > > > > esp/tunnel/1.2.3.4  -5.6.7.8/require;
> > > > >
> > > > > I assume this is a typo?  It should be:
> > > > >   esp/tunnel/1.2.3.4-5.6.7.8/require;
> > > > >
> > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > > > > esp/tunnel/5.6.7.8-1.2.3.4  /require;
> > > > >
> > > > > This should also no have a space before "/require;"
> > > > >
> > > > > > # cat /etc/psk.txt
> > > > > > #IPv4 Address
> > > > > > 5.6.7.8 123456789
> > > > > >
> > > > > > *Router B:*
> > > > > >
> > > > > > # cat /etc/racoon.conf  path pre_shared_key "/etc/psk.txt" ;
> > > > > >
> > > > > > listen {
> > > > > > isakmp 5.6.7.8   ;
> > > > > >
> > > > > >  strict_address ;
> > > > > >  }
> > > > > >
> > > > > > remote 1.2.3.4 {
> > > > > >
> > > > > >  exchange_mode main,base ;
> > > > > >
> > > > > > lifetime time 12 hour ;
> > > > > >
> > > > > >  proposal {
> > > > > >
> > > > > >   encryption_algorithm 3des ;
> > > > > >
> > > > > >  hash_algorithm md5 ;
> > > > > >  authentication_method pre_shared_key ;
> > > > > >
> > > > > > dh_group 2 ;
> > > > > >
> > > > > >   }
> > > > > >
> > > > > >  }
> > > > > >
> > > > > > sainfo anonymous {
> > > > > >
> > > > > > pfs_group 2 ;
> > > > > > lifetime time 12 hour;
> > > > > >
> > > > > >  encryption_algorithm 3des ;
> > > > > >
> > > > > > authentication_algorithm hmac_md5 ;
> > > > > > compression_algorithm deflate ;
> > > > > >
> > > > > > }
> > > > > >
> > > > > > # cat /etc/setkey.conf
> > > > > > #!/sbin/setkey -f
> > > > > > #flush SAD and SPD
> > > > > >
> > > > > > flush;
> > > > > > spdflush;
> > > > > >
> > > > > > #create polices from racoon
> > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> > > > > > esp/tunnel/5.6.7.8  -1.2.3.4/require;
> > > > >
> > > > > Same as I commented above.
> > > > >
> > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> > > > > > esp/tunnel/1.2.3.4-5.6.7.8  /require;
> > > > >
> > > > > Same as I commented above.
> > > > >
> > > > > > # cat /etc/psk.txt
> > > > > > #IPv4 Address
> > > > > > 1.2.3.4 123456789
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Router A Lan
> > > > > >
> > > > > >                                   Router B Lan
> 192.168.1.0/24
> > > > > >
> > > > > > 192.168.8.0/24
> > > > > > Gateway:
> > > > > > 192.168.1.254
> > > > > > Gateway:192.168.8.254
> > > > > >
> > > > > >       |_|_|_|______*Router A 1..2.3.4>>>>>internet<<<<<5.6.7.8
> > > > > >       |Router B*
> > > > > >
> > > > > > ______|_|_|_|
> > > > > >
> > > > > >
> > > > > >
> > > > > > I can ping 192.168.1.254 gateway from 192.168.8.100  and
> similarly
> > >
> > > from
> > >
> > > > > > other side LAN network PC.
> > > > > >
> > > > > > I can ping 192.168.1.100 from 192.168.8.254 OK and similarly from
> > >
> > > other
> > >
> > > > > > side.
> > > > > >
> > > > > > I can open router management server web page  from LAN PC at
> other
> > >
> > > LAN
> > >
> > > > > > network.
> > > > > >
> > > > > > But I can not ping 192.168.1.100 from 192.168.8.100 and reverse
> > > > > > way. only LAN gateways are reachable.
> > > > >
> > > > > This statement contradicts the previous regarding what you can ping
> > > > > and what
> > > > > not.  I assume that you cannot ping 192.168.8.100 from
> 192.168.1.100?
> > > > >
> > > > > > where as whole LAN should be reachable from other LAN.
> > > > > >
> > > > > > am I missing some setting ?
> > > > >
> > > > > Check that Router B has been set up to allow ip forwarding; e.g.
> > > > >
> > > > > sysclt -a | grep eth0.forwarding
> > > > >
> > > > > net.ipv4.conf.eth0.forwarding = 1
> > > > >
> > > > >
> > > > > also check that the firewall on Router B is similarly allowed to
> > >
> > > forward
> > >
> > > > > packets.
> > > > >
> > > > > If not adjust accordingly.
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Mick
> > >
> > > --
> > > Regards,
> > > Mick
>
> --
> Regards,
> Mick
>

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: Mick <mic...@gm...> - 2015-04-23 21:00:21

Attachments: signature.asc

Hi Jalindar,

Unless there is some specific reason which you have not shared, I recommend 
that you install more recent kernel and ipsec-tools versions and try again.  
Otherwise, you will wasting a lot of effort to fix problems that the later 
versions do not have.

Specific comments included within your message below.


On Wednesday 22 Apr 2015 08:05:01 JALINDAR wrote:
> Hi Mick,
> 
> Yes , I was suspecting regarding setkey policy setting. My check using
> #setkey -DP find no forwarding policy.
> But I think forwarding policy should be there,am I right ?

Yes, it should.  If it doesn't then you should assume that your system is not 
working as intended.


> At Router A :
> 
> WAN INTERFACE :  192.168.3.11
> WAN GATEWAY   :  192.168.3.10
> 
> LAN    N/W ADDRESS : 192.168.1.0/24
> LAN GATEWAY           : 192.168.1.254
> 
> ##without racoon running

Are you sure?  Without racoon running there should no policies present, unless 
they are some stale ones hanging around?


> # setkey -DP
> 192.168.8.0/24[any] 192.168.1.0/24[any] any
>         in prio def ipsec
>         esp/tunnel/192.168.2.11-192.168.3.11/require
>         created: Jan  1 00:35:55 2000  lastused:
>         lifetime: 0(s) validtime: 0(s)
>         spid=40 seq=1 pid=1948
>         refcnt=1
> 192.168.1.0/24[any] 192.168.8.0/24[any] any
>         out prio def ipsec
>         esp/tunnel/192.168.3.11-192.168.2.11/require
>         created: Jan  1 00:35:55 2000  lastused:
>         lifetime: 0(s) validtime: 0(s)
>         spid=33 seq=0 pid=1948
>         refcnt=1
> 
> 
> ##with racoon running
> 
> # setkey -DP
> 192.168.8.0/24[any] 192.168.1.0/24[any] any
>         in prio def ipsec
>         esp/tunnel/192.168.2.11-192.168.3.11/require
>         created: Jan  1 00:35:55 2000  lastused:
>         lifetime: 0(s) validtime: 0(s)
>         spid=40 seq=1 pid=2522
>         refcnt=1
> 192.168.1.0/24[any] 192.168.8.0/24[any] any
>         out prio def ipsec
>         esp/tunnel/192.168.3.11-192.168.2.11/require
>         created: Jan  1 00:35:55 2000  lastused:
>         lifetime: 0(s) validtime: 0(s)
>         spid=33 seq=2 pid=2522
>         refcnt=1
> (per-socket policy)
>         in none
>         created: Jan  1 00:37:16 2000  lastused:
>         lifetime: 0(s) validtime: 0(s)
>         spid=51 seq=3 pid=2522
>         refcnt=1
> (per-socket policy)
>         out none
>         created: Jan  1 00:37:16 2000  lastused:
>         lifetime: 0(s) validtime: 0(s)
>         spid=60 seq=0 pid=2522
>         refcnt=1

You should definitely have a fwd SA present in there.  Your system is not 
working as it should.


> For /etc/setkey.conf file below:
> 
> # cat /etc/setkey.conf
> 
> #!/sbin/setkey -f
> 
> #flush SAD and SPD
> 
> flush;
> 
> spdflush;
> 
> 
> 
> #create polices from racoon
> 
> spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> 
> esp/tunnel/192.168.3.11-192.168.2.11/require;

Put each directive on a single line;  i.e. 

spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec \
esp/tunnel/192.168.3.11-192.168.2.11/require;

(Where "\" indicates a line break to stop my mail client messing up the line 
wrapping around.  You should have both lines above on a single line in the 
configuration file.)


> spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> 
> esp/tunnel/192.168.2.11-192.168.3.11/require;
> 
> *I test using adding :*
> 
> *spdadd 192.168.8.0/24 <http://192.168.8.0/24> 192.168.1.0/24
> <http://192.168.1.0/24> any -P fwd ipsec*
> 
> *esp/tunnel/192.168.2.11-192.168.3.11/require;*
> 
> output of #setkey -f /etc/setkey.conf with forward policy is
> 
> The result of line 14: File exists.
> 
> this line 14 is second line of the forward policy added
>  But some documents like this one:
> 
> http://www.ipsec-howto.org/x304.html
> 
> says :
> 
> *Attention: When using the Linux kernel >= 2.6.10 you also have to define
> the forward policy if packets need to be fowarded by the box. Just make
> sure you use the ipsec-tools 0.5 which add this policy automatically or add
> it yourself if using older tools. If you are running setkey in Kernel-mode
> (-k) you have to add the fwd-policy manually, too.*

This page was written 10 years ago.  To save your time and effort I would 
strongly recommend that you install a recent kernel and a more up to date 
version of ipsec-tools.

I run ipsec-tools-0.8.2 on a 3.18.11 kernel and I do not have such problems.


> As I am using ipsec-tools 0.6.6 , I expect no need to include this
> forward policy in setkey.

Correct.  It should be created by your system when you ping the remote host 
and SAs are created, but it isn't being created, which indicates that your 
system is not working as it should.


> but it is missing in #setkey -DP
> 
> Anything wrong with setkey settings ??

I can't see anything wrong with your settings.  The problem is with your 
kernel and potentially with the version of ipsec-tools.  Run the most recent 
version your distribution offers.


> My packet scan is going on and I found ping from LAN PC goes to other
> router(ESP packet) if
> 
> I add:
> 
> *#iptables -t NAT -I POSTROUTING --dst 192.168.8.0/24
> <http://192.168.8.0/24> -j SNAT --to-source 192.168.1.254*
> 
> in router with 192.168.1.254 LAN gateway and remote LAN address
> 192.168.8.0/24 .
> 
> that make me specious of my net-filter broken or not complete needed for
> IPSec.
> 
> is that correct ?

You shouldn't need iptables to forward packets within the router's own subnet.


> What is left is to check that:
> 
> 1. ICMP packets are forwarded from the remote peer to the LAN PCs behind
> it.
> 
> >>ICMP packet goes to remote router from LAN PC but remote router do not
> 
> forward it to LAN
> I can see ESP packet both direction but at LAN PC no ICMP response received
> to request.
> 
> How can I fix it ? is it router problem or IPSec or net-filter ?
> 
> 2. That ICMP packets are received by the PCs in the remote LAN and
> responded to.  These PCs may be have been configured to only respond to
> ICMP requests from IP addresses in their own local subnet, or not respond
> to ICMP packets at
> all.
> 
> >>ICMP packet is received by remote router but it do not forward it to LAN
> 
> PC.
> 
> Thanks
> Jalindar
> 
> On Wed, Apr 22, 2015 at 3:08 AM, Mick <mic...@gm...> wrote:
> > Yes, racoon and IPSec work fine, since you can establish a tunnel between
> > the
> > two peers.
> > 
> > You can check that the ESP tunnel is configured correctly to connect the
> > two
> > 
> > LANs by studying the output of:
> >  setkey -DP
> > 
> > This should show SAs created for in/out/fwd.
> > 
> > Also check the output of your syslog.
> > 
> > Then from my previous suggestion you have checked that the kernel is
> > configured to forward packets, according to sysctl.
> > 
> > What is left is to check that:
> > 
> > 1. ICMP packets are forwarded from the remote peer to the LAN PCs behind
> > it.
> > 
> > 2. That ICMP packets are received by the PCs in the remote LAN and
> > responded
> > to.  These PCs may be have been configured to only respond to ICMP
> > requests from IP addresses in their own local subnet, or not respond to
> > ICMP packets at
> > all.
> > 
> > Have you performed these checks and what have you found out?
> > 
> > Kernel version 2.6.21 is rather old, like 8 years old!  You should update
> > this
> > to a more recent kernel regardless, although I suspect that it is not
> > related
> > to your problem.
> > 
> > On Tuesday 21 Apr 2015 12:17:00 you wrote:
> > > Hi Mick,
> > > 
> > > Ok that help me to tab the issue but I would like to divide this issue
> > 
> > into
> > 
> > > three,  for fixing it:
> > > 
> > > 1.* raccon:* As IKE is working all ok and IPSec is set to kernel, it
> > 
> > should
> > 
> > > not have any issue.
> > > and anyway its role is to keyexchange and not much into actual IPSec ,
> > > which kernel has to do.
> > > 
> > > 2. *setkey :* SPD setting should be ok
> > > 
> > > 3. *linux Kernel: *IPSec setting of kernel should not be ok.
> > > 
> > > from my conclusion , it seems like I have something either missing or
> > > in error inside Linux kernel.
> > > As I know IPSec do not need any special routing to work.
> > > 
> > > Is my conclusion is correct ?
> > > 
> > > if yes then is there any document which says what detailed kernel
> > > modules needed for IPSec.
> > > like in netfilter mangle table needed ??
> > > 
> > > I am using linux kernel 2.6.21.x
> > > 
> > > 
> > > Thanks
> > > Jalindar
> > > 
> > > On Fri, Apr 10, 2015 at 3:50 AM, Mick <mic...@gm...> wrote:
> > > > On Thursday 09 Apr 2015 10:03:19 you wrote:
> > > > > Hi Mick,
> > > > > 
> > > > > I tried your suggestion but result is same.
> > > > > 
> > > > > If there was setting issue then IPSec would not have worked at all.
> > > > 
> > > > Not necessarily, it could work partially.  You could be communicating
> > > > with the
> > > > gateway, but getting no further than that because the router does not
> > > > forward
> > > > packets to the subnet behind it.
> > > > 
> > > > >  But it works. IPSec set to kernel. Lan devices can ping other Lan
> > > > 
> > > > gateway,
> > > > 
> > > > >  like 192.168.8.100 can ping 192.168.1.254 and reverse. But router
> > > > >  or LAN
> > > > > 
> > > > > PC can not ping to other LAN PC.
> > > > 
> > > > I understand.  You could check that ICMP packets actually leave the
> > > > router towards the LAN PCs behind it; i.e. that the router processes
> > 
> > and
> > 
> > > > forwards incoming packets to PCs within its own LAN.  You can use
> > > > tcpdump or wireshark
> > > > for this.  You can also check if the LAN PCs receive these ICMP
> > > > packets and not respond to them, or if they do not receive them at
> > > > all.
> > > > 
> > > > > On Thu, Apr 9, 2015 at 2:03 PM, Mick <mic...@gm...>
> > 
> > wrote:
> > > > > > On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> > > > > > > Hi All,
> > > > > > > 
> > > > > > > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to connect
> > 
> > two
> > 
> > > > LAN.
> > > > 
> > > > > > > LAN A and B.
> > > > > > > 
> > > > > > > Check the diagram for more details.
> > > > > > > My setting are as below.
> > > > > > > *Router A:*
> > > > > > > 
> > > > > > > # cat /etc/racoon.conf
> > > > > > > 
> > > > > > > path pre_shared_key "/etc/psk.txt" ;
> > > > > > > 
> > > > > > > listen {
> > > > > > > isakmp 1.2.3.4   ;
> > > > > > > strict_address ;
> > > > > > > 
> > > > > > >  }
> > > > > > > 
> > > > > > > remote 5.6.7.8 {
> > > > > > > 
> > > > > > >  exchange_mode main,base ;
> > > > > > >  lifetime time 12 hour ;
> > > > > > >  
> > > > > > >  proposal {
> > > > > > >  
> > > > > > >   encryption_algorithm 3des ;
> > > > > > >   hash_algorithm md5 ;
> > > > > > >   authentication_method pre_shared_key ;
> > > > > > >   dh_group 2 ;
> > > > > > >   
> > > > > > >   }
> > > > > > > 
> > > > > > > }
> > > > > > > 
> > > > > > > sainfo anonymous {
> > > > > > > 
> > > > > > > pfs_group 2 ;
> > > > > > > lifetime time 12 hour;
> > > > > > > encryption_algorithm 3des ;
> > > > > > > authentication_algorithm hmac_md5 ;
> > > > > > > compression_algorithm deflate ;
> > > > > > > 
> > > > > > > }
> > > > > > > 
> > > > > > > 
> > > > > > > # cat /etc/setkey.conf
> > > > > > > 
> > > > > > > #!/sbin/setkey -f
> > > > > > > #flush SAD and SPD
> > > > > > > flush;
> > > > > > > spdflush;
> > > > > > > 
> > > > > > > #create polices from racoon
> > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > > > > > esp/tunnel/1.2.3.4  -5.6.7.8/require;
> > > > > > 
> > > > > > I assume this is a typo?  It should be:
> > > > > >   esp/tunnel/1.2.3.4-5.6.7.8/require;
> > > > > >   
> > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > > > > > esp/tunnel/5.6.7.8-1.2.3.4  /require;
> > > > > > 
> > > > > > This should also no have a space before "/require;"
> > > > > > 
> > > > > > > # cat /etc/psk.txt
> > > > > > > #IPv4 Address
> > > > > > > 5.6.7.8 123456789
> > > > > > > 
> > > > > > > *Router B:*
> > > > > > > 
> > > > > > > # cat /etc/racoon.conf  path pre_shared_key "/etc/psk.txt" ;
> > > > > > > 
> > > > > > > listen {
> > > > > > > isakmp 5.6.7.8   ;
> > > > > > > 
> > > > > > >  strict_address ;
> > > > > > >  }
> > > > > > > 
> > > > > > > remote 1.2.3.4 {
> > > > > > > 
> > > > > > >  exchange_mode main,base ;
> > > > > > > 
> > > > > > > lifetime time 12 hour ;
> > > > > > > 
> > > > > > >  proposal {
> > > > > > >  
> > > > > > >   encryption_algorithm 3des ;
> > > > > > >  
> > > > > > >  hash_algorithm md5 ;
> > > > > > >  authentication_method pre_shared_key ;
> > > > > > > 
> > > > > > > dh_group 2 ;
> > > > > > > 
> > > > > > >   }
> > > > > > >  
> > > > > > >  }
> > > > > > > 
> > > > > > > sainfo anonymous {
> > > > > > > 
> > > > > > > pfs_group 2 ;
> > > > > > > lifetime time 12 hour;
> > > > > > > 
> > > > > > >  encryption_algorithm 3des ;
> > > > > > > 
> > > > > > > authentication_algorithm hmac_md5 ;
> > > > > > > compression_algorithm deflate ;
> > > > > > > 
> > > > > > > }
> > > > > > > 
> > > > > > > # cat /etc/setkey.conf
> > > > > > > #!/sbin/setkey -f
> > > > > > > #flush SAD and SPD
> > > > > > > 
> > > > > > > flush;
> > > > > > > spdflush;
> > > > > > > 
> > > > > > > #create polices from racoon
> > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> > > > > > > esp/tunnel/5.6.7.8  -1.2.3.4/require;
> > > > > > 
> > > > > > Same as I commented above.
> > > > > > 
> > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> > > > > > > esp/tunnel/1.2.3.4-5.6.7.8  /require;
> > > > > > 
> > > > > > Same as I commented above.
> > > > > > 
> > > > > > > # cat /etc/psk.txt
> > > > > > > #IPv4 Address
> > > > > > > 1.2.3.4 123456789
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > Router A Lan
> > > > > > > 
> > > > > > >                                   Router B Lan
> > 
> > 192.168.1.0/24
> > 
> > > > > > > 192.168.8.0/24
> > > > > > > Gateway:
> > > > > > > 192.168.1.254
> > > > > > > Gateway:192.168.8.254
> > > > > > > 
> > > > > > >       |_|_|_|______*Router A 1..2.3.4>>>>>internet<<<<<5.6.7.8
> > > > > > >       |Router B*
> > > > > > > 
> > > > > > > ______|_|_|_|
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > I can ping 192.168.1.254 gateway from 192.168.8.100  and
> > 
> > similarly
> > 
> > > > from
> > > > 
> > > > > > > other side LAN network PC.
> > > > > > > 
> > > > > > > I can ping 192.168.1.100 from 192.168.8.254 OK and similarly
> > > > > > > from
> > > > 
> > > > other
> > > > 
> > > > > > > side.
> > > > > > > 
> > > > > > > I can open router management server web page  from LAN PC at
> > 
> > other
> > 
> > > > LAN
> > > > 
> > > > > > > network.
> > > > > > > 
> > > > > > > But I can not ping 192.168.1.100 from 192.168.8.100 and reverse
> > > > > > > way. only LAN gateways are reachable.
> > > > > > 
> > > > > > This statement contradicts the previous regarding what you can
> > > > > > ping and what
> > > > > > not.  I assume that you cannot ping 192.168.8.100 from
> > 
> > 192.168.1.100?
> > 
> > > > > > > where as whole LAN should be reachable from other LAN.
> > > > > > > 
> > > > > > > am I missing some setting ?
> > > > > > 
> > > > > > Check that Router B has been set up to allow ip forwarding; e.g.
> > > > > > 
> > > > > > sysclt -a | grep eth0.forwarding
> > > > > > 
> > > > > > net.ipv4.conf.eth0.forwarding = 1
> > > > > > 
> > > > > > 
> > > > > > also check that the firewall on Router B is similarly allowed to
> > > > 
> > > > forward
> > > > 
> > > > > > packets.
> > > > > > 
> > > > > > If not adjust accordingly.
> > > > > > 
> > > > > > --
> > > > > > Regards,
> > > > > > Mick
> > > > 
> > > > --
> > > > Regards,
> > > > Mick
> > 
> > --
> > Regards,
> > Mick

-- 
Regards,
Mick

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: JALINDAR <jal...@gm...> - 2015-04-30 10:22:36

Hi Mick,

Reason to use 2.6.21 is that, this SDK only support 2.6.21 and it will be
very big task to  upgrade its kernel to latest one 3.2.x

As I know 2.6.21 is also quite stable for IPSec function using ipsec-tools.
I used ipsec-tools 0.6.6 as it is stable for the ipsec tunnel function as
per
discussion on different forums with 2.6.21 kernel version otherwise I would
have used latest 0.8.2 ipsec-tools version.

My SDK Linux kernel 2.6.21 netfilter module seems incomplete so I am now
using Ubuntu 12.04 as ipsec-tools server
to find issue and my test shows forwarding policy in Ubuntu and I can ping
LAN PC from router which was not
possible with two router so missing forwarding policy is the issue.


How to bring this forwarding policy ?
through kernel patch or is it ipsec-tools compile issue ?

Like this discussion talks about such forwarding policy and
someone is saying ipsec-tool , racoon suppose to add this forwarding policy
to the kernel.

http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-needed-for-a-ipsec-tunnel


is that correct ?

But this ipsec-tools 0.6.6 version already suppose to add forwarding policy
to kernel.

is that case that racoon try to add but kernel has no support ??

or

ipsec-tools has configured without such option while configuring ??

But setting forward policy function must be in ipesc-tools and should not
be  configurable.

Now my task is to bring this forwarding policy anyway either patching or
reconfiguring Linux kernel 2.6.21
or patching or reconfiguration ipsec-tools 0.6.6.

what do you think ?

I read about netfilter types full cone, restricted cone, port restricted
cone..
will that be any issue ??


Thanks
Jalindar

On Fri, Apr 24, 2015 at 4:59 AM, Mick <mic...@gm...> wrote:

> Hi Jalindar,
>
> Unless there is some specific reason which you have not shared, I recommend
> that you install more recent kernel and ipsec-tools versions and try again.
> Otherwise, you will wasting a lot of effort to fix problems that the later
> versions do not have.
>
> Specific comments included within your message below.
>
>
> On Wednesday 22 Apr 2015 08:05:01 JALINDAR wrote:
> > Hi Mick,
> >
> > Yes , I was suspecting regarding setkey policy setting. My check using
> > #setkey -DP find no forwarding policy.
> > But I think forwarding policy should be there,am I right ?
>
> Yes, it should.  If it doesn't then you should assume that your system is
> not
> working as intended.
>
>
> > At Router A :
> >
> > WAN INTERFACE :  192.168.3.11
> > WAN GATEWAY   :  192.168.3.10
> >
> > LAN    N/W ADDRESS : 192.168.1.0/24
> > LAN GATEWAY           : 192.168.1.254
> >
> > ##without racoon running
>
> Are you sure?  Without racoon running there should no policies present,
> unless
> they are some stale ones hanging around?
>
>
> > # setkey -DP
> > 192.168.8.0/24[any] <http://192.168.8.0/24%5Bany%5D> 192.168.1.0/24[any]
> <http://192.168.1.0/24%5Bany%5D> any
> >         in prio def ipsec
> >         esp/tunnel/192.168.2.11-192.168.3.11/require
> >         created: Jan  1 00:35:55 2000  lastused:
> >         lifetime: 0(s) validtime: 0(s)
> >         spid=40 seq=1 pid=1948
> >         refcnt=1
> > 192.168.1.0/24[any] <http://192.168.1.0/24%5Bany%5D> 192.168.8.0/24[any]
> <http://192.168.8.0/24%5Bany%5D> any
> >         out prio def ipsec
> >         esp/tunnel/192.168.3.11-192.168.2.11/require
> >         created: Jan  1 00:35:55 2000  lastused:
> >         lifetime: 0(s) validtime: 0(s)
> >         spid=33 seq=0 pid=1948
> >         refcnt=1
> >
> >
> > ##with racoon running
> >
> > # setkey -DP
> > 192.168.8.0/24[any] <http://192.168.8.0/24%5Bany%5D> 192.168.1.0/24[any]
> <http://192.168.1.0/24%5Bany%5D> any
> >         in prio def ipsec
> >         esp/tunnel/192.168.2.11-192.168.3.11/require
> >         created: Jan  1 00:35:55 2000  lastused:
> >         lifetime: 0(s) validtime: 0(s)
> >         spid=40 seq=1 pid=2522
> >         refcnt=1
> > 192.168.1.0/24[any] <http://192.168.1.0/24%5Bany%5D> 192.168.8.0/24[any]
> <http://192.168.8.0/24%5Bany%5D> any
> >         out prio def ipsec
> >         esp/tunnel/192.168.3.11-192.168.2.11/require
> >         created: Jan  1 00:35:55 2000  lastused:
> >         lifetime: 0(s) validtime: 0(s)
> >         spid=33 seq=2 pid=2522
> >         refcnt=1
> > (per-socket policy)
> >         in none
> >         created: Jan  1 00:37:16 2000  lastused:
> >         lifetime: 0(s) validtime: 0(s)
> >         spid=51 seq=3 pid=2522
> >         refcnt=1
> > (per-socket policy)
> >         out none
> >         created: Jan  1 00:37:16 2000  lastused:
> >         lifetime: 0(s) validtime: 0(s)
> >         spid=60 seq=0 pid=2522
> >         refcnt=1
>
> You should definitely have a fwd SA present in there.  Your system is not
> working as it should.
>
>
> > For /etc/setkey.conf file below:
> >
> > # cat /etc/setkey.conf
> >
> > #!/sbin/setkey -f
> >
> > #flush SAD and SPD
> >
> > flush;
> >
> > spdflush;
> >
> >
> >
> > #create polices from racoon
> >
> > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> >
> > esp/tunnel/192.168.3.11-192.168.2.11/require;
>
> Put each directive on a single line;  i.e.
>
> spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec \
> esp/tunnel/192.168.3.11-192.168.2.11/require;
>
> (Where "\" indicates a line break to stop my mail client messing up the
> line
> wrapping around.  You should have both lines above on a single line in the
> configuration file.)
>
>
> > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> >
> > esp/tunnel/192.168.2.11-192.168.3.11/require;
> >
> > *I test using adding :*
> >
> > *spdadd 192.168.8.0/24 <http://192.168.8.0/24> 192.168.1.0/24
> > <http://192.168.1.0/24> any -P fwd ipsec*
> >
> > *esp/tunnel/192.168.2.11-192.168.3.11/require;*
> >
> > output of #setkey -f /etc/setkey.conf with forward policy is
> >
> > The result of line 14: File exists.
> >
> > this line 14 is second line of the forward policy added
> >  But some documents like this one:
> >
> > http://www.ipsec-howto.org/x304.html
> >
> > says :
> >
> > *Attention: When using the Linux kernel >= 2.6.10 you also have to define
> > the forward policy if packets need to be fowarded by the box. Just make
> > sure you use the ipsec-tools 0.5 which add this policy automatically or
> add
> > it yourself if using older tools. If you are running setkey in
> Kernel-mode
> > (-k) you have to add the fwd-policy manually, too.*
>
> This page was written 10 years ago.  To save your time and effort I would
> strongly recommend that you install a recent kernel and a more up to date
> version of ipsec-tools.
>
> I run ipsec-tools-0.8.2 on a 3.18.11 kernel and I do not have such
> problems.
>
>
> > As I am using ipsec-tools 0.6.6 , I expect no need to include this
> > forward policy in setkey.
>
> Correct.  It should be created by your system when you ping the remote host
> and SAs are created, but it isn't being created, which indicates that your
> system is not working as it should.
>
>
> > but it is missing in #setkey -DP
> >
> > Anything wrong with setkey settings ??
>
> I can't see anything wrong with your settings.  The problem is with your
> kernel and potentially with the version of ipsec-tools.  Run the most
> recent
> version your distribution offers.
>
>
> > My packet scan is going on and I found ping from LAN PC goes to other
> > router(ESP packet) if
> >
> > I add:
> >
> > *#iptables -t NAT -I POSTROUTING --dst 192.168.8.0/24
> > <http://192.168.8.0/24> -j SNAT --to-source 192.168.1.254*
> >
> > in router with 192.168.1.254 LAN gateway and remote LAN address
> > 192.168.8.0/24 .
> >
> > that make me specious of my net-filter broken or not complete needed for
> > IPSec.
> >
> > is that correct ?
>
> You shouldn't need iptables to forward packets within the router's own
> subnet.
>
>
> > What is left is to check that:
> >
> > 1. ICMP packets are forwarded from the remote peer to the LAN PCs behind
> > it.
> >
> > >>ICMP packet goes to remote router from LAN PC but remote router do not
> >
> > forward it to LAN
> > I can see ESP packet both direction but at LAN PC no ICMP response
> received
> > to request.
> >
> > How can I fix it ? is it router problem or IPSec or net-filter ?
> >
> > 2. That ICMP packets are received by the PCs in the remote LAN and
> > responded to.  These PCs may be have been configured to only respond to
> > ICMP requests from IP addresses in their own local subnet, or not respond
> > to ICMP packets at
> > all.
> >
> > >>ICMP packet is received by remote router but it do not forward it to
> LAN
> >
> > PC.
> >
> > Thanks
> > Jalindar
> >
> > On Wed, Apr 22, 2015 at 3:08 AM, Mick <mic...@gm...> wrote:
> > > Yes, racoon and IPSec work fine, since you can establish a tunnel
> between
> > > the
> > > two peers.
> > >
> > > You can check that the ESP tunnel is configured correctly to connect
> the
> > > two
> > >
> > > LANs by studying the output of:
> > >  setkey -DP
> > >
> > > This should show SAs created for in/out/fwd.
> > >
> > > Also check the output of your syslog.
> > >
> > > Then from my previous suggestion you have checked that the kernel is
> > > configured to forward packets, according to sysctl.
> > >
> > > What is left is to check that:
> > >
> > > 1. ICMP packets are forwarded from the remote peer to the LAN PCs
> behind
> > > it.
> > >
> > > 2. That ICMP packets are received by the PCs in the remote LAN and
> > > responded
> > > to.  These PCs may be have been configured to only respond to ICMP
> > > requests from IP addresses in their own local subnet, or not respond to
> > > ICMP packets at
> > > all.
> > >
> > > Have you performed these checks and what have you found out?
> > >
> > > Kernel version 2.6.21 is rather old, like 8 years old!  You should
> update
> > > this
> > > to a more recent kernel regardless, although I suspect that it is not
> > > related
> > > to your problem.
> > >
> > > On Tuesday 21 Apr 2015 12:17:00 you wrote:
> > > > Hi Mick,
> > > >
> > > > Ok that help me to tab the issue but I would like to divide this
> issue
> > >
> > > into
> > >
> > > > three,  for fixing it:
> > > >
> > > > 1.* raccon:* As IKE is working all ok and IPSec is set to kernel, it
> > >
> > > should
> > >
> > > > not have any issue.
> > > > and anyway its role is to keyexchange and not much into actual IPSec
> ,
> > > > which kernel has to do.
> > > >
> > > > 2. *setkey :* SPD setting should be ok
> > > >
> > > > 3. *linux Kernel: *IPSec setting of kernel should not be ok.
> > > >
> > > > from my conclusion , it seems like I have something either missing or
> > > > in error inside Linux kernel.
> > > > As I know IPSec do not need any special routing to work.
> > > >
> > > > Is my conclusion is correct ?
> > > >
> > > > if yes then is there any document which says what detailed kernel
> > > > modules needed for IPSec.
> > > > like in netfilter mangle table needed ??
> > > >
> > > > I am using linux kernel 2.6.21.x
> > > >
> > > >
> > > > Thanks
> > > > Jalindar
> > > >
> > > > On Fri, Apr 10, 2015 at 3:50 AM, Mick <mic...@gm...>
> wrote:
> > > > > On Thursday 09 Apr 2015 10:03:19 you wrote:
> > > > > > Hi Mick,
> > > > > >
> > > > > > I tried your suggestion but result is same.
> > > > > >
> > > > > > If there was setting issue then IPSec would not have worked at
> all.
> > > > >
> > > > > Not necessarily, it could work partially.  You could be
> communicating
> > > > > with the
> > > > > gateway, but getting no further than that because the router does
> not
> > > > > forward
> > > > > packets to the subnet behind it.
> > > > >
> > > > > >  But it works. IPSec set to kernel. Lan devices can ping other
> Lan
> > > > >
> > > > > gateway,
> > > > >
> > > > > >  like 192.168.8.100 can ping 192.168.1.254 and reverse. But
> router
> > > > > >  or LAN
> > > > > >
> > > > > > PC can not ping to other LAN PC.
> > > > >
> > > > > I understand.  You could check that ICMP packets actually leave the
> > > > > router towards the LAN PCs behind it; i.e. that the router
> processes
> > >
> > > and
> > >
> > > > > forwards incoming packets to PCs within its own LAN.  You can use
> > > > > tcpdump or wireshark
> > > > > for this.  You can also check if the LAN PCs receive these ICMP
> > > > > packets and not respond to them, or if they do not receive them at
> > > > > all.
> > > > >
> > > > > > On Thu, Apr 9, 2015 at 2:03 PM, Mick <mic...@gm...>
> > >
> > > wrote:
> > > > > > > On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> > > > > > > > Hi All,
> > > > > > > >
> > > > > > > > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to
> connect
> > >
> > > two
> > >
> > > > > LAN.
> > > > >
> > > > > > > > LAN A and B.
> > > > > > > >
> > > > > > > > Check the diagram for more details.
> > > > > > > > My setting are as below.
> > > > > > > > *Router A:*
> > > > > > > >
> > > > > > > > # cat /etc/racoon.conf
> > > > > > > >
> > > > > > > > path pre_shared_key "/etc/psk.txt" ;
> > > > > > > >
> > > > > > > > listen {
> > > > > > > > isakmp 1.2.3.4   ;
> > > > > > > > strict_address ;
> > > > > > > >
> > > > > > > >  }
> > > > > > > >
> > > > > > > > remote 5.6.7.8 {
> > > > > > > >
> > > > > > > >  exchange_mode main,base ;
> > > > > > > >  lifetime time 12 hour ;
> > > > > > > >
> > > > > > > >  proposal {
> > > > > > > >
> > > > > > > >   encryption_algorithm 3des ;
> > > > > > > >   hash_algorithm md5 ;
> > > > > > > >   authentication_method pre_shared_key ;
> > > > > > > >   dh_group 2 ;
> > > > > > > >
> > > > > > > >   }
> > > > > > > >
> > > > > > > > }
> > > > > > > >
> > > > > > > > sainfo anonymous {
> > > > > > > >
> > > > > > > > pfs_group 2 ;
> > > > > > > > lifetime time 12 hour;
> > > > > > > > encryption_algorithm 3des ;
> > > > > > > > authentication_algorithm hmac_md5 ;
> > > > > > > > compression_algorithm deflate ;
> > > > > > > >
> > > > > > > > }
> > > > > > > >
> > > > > > > >
> > > > > > > > # cat /etc/setkey.conf
> > > > > > > >
> > > > > > > > #!/sbin/setkey -f
> > > > > > > > #flush SAD and SPD
> > > > > > > > flush;
> > > > > > > > spdflush;
> > > > > > > >
> > > > > > > > #create polices from racoon
> > > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > > > > > > esp/tunnel/1.2.3.4  -5.6.7.8/require;
> > > > > > >
> > > > > > > I assume this is a typo?  It should be:
> > > > > > >   esp/tunnel/1.2.3.4-5.6.7.8/require;
> > > > > > >
> > > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > > > > > > esp/tunnel/5.6.7.8-1.2.3.4  /require;
> > > > > > >
> > > > > > > This should also no have a space before "/require;"
> > > > > > >
> > > > > > > > # cat /etc/psk.txt
> > > > > > > > #IPv4 Address
> > > > > > > > 5.6.7.8 123456789
> > > > > > > >
> > > > > > > > *Router B:*
> > > > > > > >
> > > > > > > > # cat /etc/racoon.conf  path pre_shared_key "/etc/psk.txt" ;
> > > > > > > >
> > > > > > > > listen {
> > > > > > > > isakmp 5.6.7.8   ;
> > > > > > > >
> > > > > > > >  strict_address ;
> > > > > > > >  }
> > > > > > > >
> > > > > > > > remote 1.2.3.4 {
> > > > > > > >
> > > > > > > >  exchange_mode main,base ;
> > > > > > > >
> > > > > > > > lifetime time 12 hour ;
> > > > > > > >
> > > > > > > >  proposal {
> > > > > > > >
> > > > > > > >   encryption_algorithm 3des ;
> > > > > > > >
> > > > > > > >  hash_algorithm md5 ;
> > > > > > > >  authentication_method pre_shared_key ;
> > > > > > > >
> > > > > > > > dh_group 2 ;
> > > > > > > >
> > > > > > > >   }
> > > > > > > >
> > > > > > > >  }
> > > > > > > >
> > > > > > > > sainfo anonymous {
> > > > > > > >
> > > > > > > > pfs_group 2 ;
> > > > > > > > lifetime time 12 hour;
> > > > > > > >
> > > > > > > >  encryption_algorithm 3des ;
> > > > > > > >
> > > > > > > > authentication_algorithm hmac_md5 ;
> > > > > > > > compression_algorithm deflate ;
> > > > > > > >
> > > > > > > > }
> > > > > > > >
> > > > > > > > # cat /etc/setkey.conf
> > > > > > > > #!/sbin/setkey -f
> > > > > > > > #flush SAD and SPD
> > > > > > > >
> > > > > > > > flush;
> > > > > > > > spdflush;
> > > > > > > >
> > > > > > > > #create polices from racoon
> > > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> > > > > > > > esp/tunnel/5.6.7.8  -1.2.3.4/require;
> > > > > > >
> > > > > > > Same as I commented above.
> > > > > > >
> > > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> > > > > > > > esp/tunnel/1.2.3.4-5.6.7.8  /require;
> > > > > > >
> > > > > > > Same as I commented above.
> > > > > > >
> > > > > > > > # cat /etc/psk.txt
> > > > > > > > #IPv4 Address
> > > > > > > > 1.2.3.4 123456789
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Router A Lan
> > > > > > > >
> > > > > > > >                                   Router B Lan
> > >
> > > 192.168.1.0/24
> > >
> > > > > > > > 192.168.8.0/24
> > > > > > > > Gateway:
> > > > > > > > 192.168.1.254
> > > > > > > > Gateway:192.168.8.254
> > > > > > > >
> > > > > > > >       |_|_|_|______*Router A
> 1..2.3.4>>>>>internet<<<<<5.6.7.8
> > > > > > > >       |Router B*
> > > > > > > >
> > > > > > > > ______|_|_|_|
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > I can ping 192.168.1.254 gateway from 192.168.8.100  and
> > >
> > > similarly
> > >
> > > > > from
> > > > >
> > > > > > > > other side LAN network PC.
> > > > > > > >
> > > > > > > > I can ping 192.168.1.100 from 192.168.8.254 OK and similarly
> > > > > > > > from
> > > > >
> > > > > other
> > > > >
> > > > > > > > side.
> > > > > > > >
> > > > > > > > I can open router management server web page  from LAN PC at
> > >
> > > other
> > >
> > > > > LAN
> > > > >
> > > > > > > > network.
> > > > > > > >
> > > > > > > > But I can not ping 192.168.1.100 from 192.168.8.100 and
> reverse
> > > > > > > > way. only LAN gateways are reachable.
> > > > > > >
> > > > > > > This statement contradicts the previous regarding what you can
> > > > > > > ping and what
> > > > > > > not.  I assume that you cannot ping 192.168.8.100 from
> > >
> > > 192.168.1.100?
> > >
> > > > > > > > where as whole LAN should be reachable from other LAN.
> > > > > > > >
> > > > > > > > am I missing some setting ?
> > > > > > >
> > > > > > > Check that Router B has been set up to allow ip forwarding;
> e.g.
> > > > > > >
> > > > > > > sysclt -a | grep eth0.forwarding
> > > > > > >
> > > > > > > net.ipv4.conf.eth0.forwarding = 1
> > > > > > >
> > > > > > >
> > > > > > > also check that the firewall on Router B is similarly allowed
> to
> > > > >
> > > > > forward
> > > > >
> > > > > > > packets.
> > > > > > >
> > > > > > > If not adjust accordingly.
> > > > > > >
> > > > > > > --
> > > > > > > Regards,
> > > > > > > Mick
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Mick
> > >
> > > --
> > > Regards,
> > > Mick
>
> --
> Regards,
> Mick
>

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: Mick <mic...@gm...> - 2015-05-01 06:17:05

Attachments: signature.asc

I see, you *have* to use 2.6.21 then.  :-(

The URL you provided is correct, the IPSec keying daemon is supposed to create 
the forward policy.  There was an old bug in racoon where this policy would 
not be created:

 https://bugzilla.redhat.com/show_bug.cgi?id=150179

However, ipsec-tools 0.6.6 does not have this bug and should be creating the 
fwd policy.

I can't recall if you tried to add fwd to your setkey policies manually?  Can 
you please try this and check to see if the fwd policy is created?

With regards to what is required in the kernel, check that these modules 
listed here are loaded:

 http://www.ipsec-howto.org/x304.html

Also check that NAT is enabled in the kernel.


On Thursday 30 Apr 2015 11:21:47 you wrote:
> Hi Mick,
> 
> Reason to use 2.6.21 is that, this SDK only support 2.6.21 and it will be
> very big task to  upgrade its kernel to latest one 3.2.x
> 
> As I know 2.6.21 is also quite stable for IPSec function using ipsec-tools.
> I used ipsec-tools 0.6.6 as it is stable for the ipsec tunnel function as
> per
> discussion on different forums with 2.6.21 kernel version otherwise I would
> have used latest 0.8.2 ipsec-tools version.
> 
> My SDK Linux kernel 2.6.21 netfilter module seems incomplete so I am now
> using Ubuntu 12.04 as ipsec-tools server
> to find issue and my test shows forwarding policy in Ubuntu and I can ping
> LAN PC from router which was not
> possible with two router so missing forwarding policy is the issue.
> 
> 
> How to bring this forwarding policy ?
> through kernel patch or is it ipsec-tools compile issue ?
> 
> Like this discussion talks about such forwarding policy and
> someone is saying ipsec-tool , racoon suppose to add this forwarding policy
> to the kernel.
> 
> http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-nee
> ded-for-a-ipsec-tunnel
> 
> 
> is that correct ?
> 
> But this ipsec-tools 0.6.6 version already suppose to add forwarding policy
> to kernel.
> 
> is that case that racoon try to add but kernel has no support ??
> 
> or
> 
> ipsec-tools has configured without such option while configuring ??
> 
> But setting forward policy function must be in ipesc-tools and should not
> be  configurable.
> 
> Now my task is to bring this forwarding policy anyway either patching or
> reconfiguring Linux kernel 2.6.21
> or patching or reconfiguration ipsec-tools 0.6.6.
> 
> what do you think ?
> 
> I read about netfilter types full cone, restricted cone, port restricted
> cone..
> will that be any issue ??
> 
> 
> Thanks
> Jalindar
> 
> On Fri, Apr 24, 2015 at 4:59 AM, Mick <mic...@gm...> wrote:
> > Hi Jalindar,
> > 
> > Unless there is some specific reason which you have not shared, I
> > recommend that you install more recent kernel and ipsec-tools versions
> > and try again. Otherwise, you will wasting a lot of effort to fix
> > problems that the later versions do not have.
> > 
> > Specific comments included within your message below.
> > 
> > On Wednesday 22 Apr 2015 08:05:01 JALINDAR wrote:
> > > Hi Mick,
> > > 
> > > Yes , I was suspecting regarding setkey policy setting. My check using
> > > #setkey -DP find no forwarding policy.
> > > But I think forwarding policy should be there,am I right ?
> > 
> > Yes, it should.  If it doesn't then you should assume that your system is
> > not
> > working as intended.
> > 
> > > At Router A :
> > > 
> > > WAN INTERFACE :  192.168.3.11
> > > WAN GATEWAY   :  192.168.3.10
> > > 
> > > LAN    N/W ADDRESS : 192.168.1.0/24
> > > LAN GATEWAY           : 192.168.1.254
> > > 
> > > ##without racoon running
> > 
> > Are you sure?  Without racoon running there should no policies present,
> > unless
> > they are some stale ones hanging around?
> > 
> > > # setkey -DP
> > > 192.168.8.0/24[any] <http://192.168.8.0/24%5Bany%5D>
> > > 192.168.1.0/24[any]
> > 
> > <http://192.168.1.0/24%5Bany%5D> any
> > 
> > >         in prio def ipsec
> > >         esp/tunnel/192.168.2.11-192.168.3.11/require
> > >         created: Jan  1 00:35:55 2000  lastused:
> > >         lifetime: 0(s) validtime: 0(s)
> > >         spid=40 seq=1 pid=1948
> > >         refcnt=1
> > > 
> > > 192.168.1.0/24[any] <http://192.168.1.0/24%5Bany%5D>
> > > 192.168.8.0/24[any]
> > 
> > <http://192.168.8.0/24%5Bany%5D> any
> > 
> > >         out prio def ipsec
> > >         esp/tunnel/192.168.3.11-192.168.2.11/require
> > >         created: Jan  1 00:35:55 2000  lastused:
> > >         lifetime: 0(s) validtime: 0(s)
> > >         spid=33 seq=0 pid=1948
> > >         refcnt=1
> > > 
> > > ##with racoon running
> > > 
> > > # setkey -DP
> > > 192.168.8.0/24[any] <http://192.168.8.0/24%5Bany%5D>
> > > 192.168.1.0/24[any]
> > 
> > <http://192.168.1.0/24%5Bany%5D> any
> > 
> > >         in prio def ipsec
> > >         esp/tunnel/192.168.2.11-192.168.3.11/require
> > >         created: Jan  1 00:35:55 2000  lastused:
> > >         lifetime: 0(s) validtime: 0(s)
> > >         spid=40 seq=1 pid=2522
> > >         refcnt=1
> > > 
> > > 192.168.1.0/24[any] <http://192.168.1.0/24%5Bany%5D>
> > > 192.168.8.0/24[any]
> > 
> > <http://192.168.8.0/24%5Bany%5D> any
> > 
> > >         out prio def ipsec
> > >         esp/tunnel/192.168.3.11-192.168.2.11/require
> > >         created: Jan  1 00:35:55 2000  lastused:
> > >         lifetime: 0(s) validtime: 0(s)
> > >         spid=33 seq=2 pid=2522
> > >         refcnt=1
> > > 
> > > (per-socket policy)
> > > 
> > >         in none
> > >         created: Jan  1 00:37:16 2000  lastused:
> > >         lifetime: 0(s) validtime: 0(s)
> > >         spid=51 seq=3 pid=2522
> > >         refcnt=1
> > > 
> > > (per-socket policy)
> > > 
> > >         out none
> > >         created: Jan  1 00:37:16 2000  lastused:
> > >         lifetime: 0(s) validtime: 0(s)
> > >         spid=60 seq=0 pid=2522
> > >         refcnt=1
> > 
> > You should definitely have a fwd SA present in there.  Your system is not
> > working as it should.
> > 
> > > For /etc/setkey.conf file below:
> > > 
> > > # cat /etc/setkey.conf
> > > 
> > > #!/sbin/setkey -f
> > > 
> > > #flush SAD and SPD
> > > 
> > > flush;
> > > 
> > > spdflush;
> > > 
> > > 
> > > 
> > > #create polices from racoon
> > > 
> > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > 
> > > esp/tunnel/192.168.3.11-192.168.2.11/require;
> > 
> > Put each directive on a single line;  i.e.
> > 
> > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec \
> > esp/tunnel/192.168.3.11-192.168.2.11/require;
> > 
> > (Where "\" indicates a line break to stop my mail client messing up the
> > line
> > wrapping around.  You should have both lines above on a single line in
> > the configuration file.)
> > 
> > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > 
> > > esp/tunnel/192.168.2.11-192.168.3.11/require;
> > > 
> > > *I test using adding :*
> > > 
> > > *spdadd 192.168.8.0/24 <http://192.168.8.0/24> 192.168.1.0/24
> > > <http://192.168.1.0/24> any -P fwd ipsec*
> > > 
> > > *esp/tunnel/192.168.2.11-192.168.3.11/require;*
> > > 
> > > output of #setkey -f /etc/setkey.conf with forward policy is
> > > 
> > > The result of line 14: File exists.
> > > 
> > > this line 14 is second line of the forward policy added
> > > 
> > >  But some documents like this one:
> > > http://www.ipsec-howto.org/x304.html
> > > 
> > > says :
> > > 
> > > *Attention: When using the Linux kernel >= 2.6.10 you also have to
> > > define the forward policy if packets need to be fowarded by the box.
> > > Just make sure you use the ipsec-tools 0.5 which add this policy
> > > automatically or
> > 
> > add
> > 
> > > it yourself if using older tools. If you are running setkey in
> > 
> > Kernel-mode
> > 
> > > (-k) you have to add the fwd-policy manually, too.*
> > 
> > This page was written 10 years ago.  To save your time and effort I would
> > strongly recommend that you install a recent kernel and a more up to date
> > version of ipsec-tools.
> > 
> > I run ipsec-tools-0.8.2 on a 3.18.11 kernel and I do not have such
> > problems.
> > 
> > > As I am using ipsec-tools 0.6.6 , I expect no need to include this
> > > forward policy in setkey.
> > 
> > Correct.  It should be created by your system when you ping the remote
> > host and SAs are created, but it isn't being created, which indicates
> > that your system is not working as it should.
> > 
> > > but it is missing in #setkey -DP
> > > 
> > > Anything wrong with setkey settings ??
> > 
> > I can't see anything wrong with your settings.  The problem is with your
> > kernel and potentially with the version of ipsec-tools.  Run the most
> > recent
> > version your distribution offers.
> > 
> > > My packet scan is going on and I found ping from LAN PC goes to other
> > > router(ESP packet) if
> > > 
> > > I add:
> > > 
> > > *#iptables -t NAT -I POSTROUTING --dst 192.168.8.0/24
> > > <http://192.168.8.0/24> -j SNAT --to-source 192.168.1.254*
> > > 
> > > in router with 192.168.1.254 LAN gateway and remote LAN address
> > > 192.168.8.0/24 .
> > > 
> > > that make me specious of my net-filter broken or not complete needed
> > > for IPSec.
> > > 
> > > is that correct ?
> > 
> > You shouldn't need iptables to forward packets within the router's own
> > subnet.
> > 
> > > What is left is to check that:
> > > 
> > > 1. ICMP packets are forwarded from the remote peer to the LAN PCs
> > > behind it.
> > > 
> > > >>ICMP packet goes to remote router from LAN PC but remote router do
> > > >>not
> > > 
> > > forward it to LAN
> > > I can see ESP packet both direction but at LAN PC no ICMP response
> > 
> > received
> > 
> > > to request.
> > > 
> > > How can I fix it ? is it router problem or IPSec or net-filter ?
> > > 
> > > 2. That ICMP packets are received by the PCs in the remote LAN and
> > > responded to.  These PCs may be have been configured to only respond to
> > > ICMP requests from IP addresses in their own local subnet, or not
> > > respond to ICMP packets at
> > > all.
> > > 
> > > >>ICMP packet is received by remote router but it do not forward it to
> > 
> > LAN
> > 
> > > PC.
> > > 
> > > Thanks
> > > Jalindar
> > > 
> > > On Wed, Apr 22, 2015 at 3:08 AM, Mick <mic...@gm...> wrote:
> > > > Yes, racoon and IPSec work fine, since you can establish a tunnel
> > 
> > between
> > 
> > > > the
> > > > two peers.
> > > > 
> > > > You can check that the ESP tunnel is configured correctly to connect
> > 
> > the
> > 
> > > > two
> > > > 
> > > > LANs by studying the output of:
> > > >  setkey -DP
> > > > 
> > > > This should show SAs created for in/out/fwd.
> > > > 
> > > > Also check the output of your syslog.
> > > > 
> > > > Then from my previous suggestion you have checked that the kernel is
> > > > configured to forward packets, according to sysctl.
> > > > 
> > > > What is left is to check that:
> > > > 
> > > > 1. ICMP packets are forwarded from the remote peer to the LAN PCs
> > 
> > behind
> > 
> > > > it.
> > > > 
> > > > 2. That ICMP packets are received by the PCs in the remote LAN and
> > > > responded
> > > > to.  These PCs may be have been configured to only respond to ICMP
> > > > requests from IP addresses in their own local subnet, or not respond
> > > > to ICMP packets at
> > > > all.
> > > > 
> > > > Have you performed these checks and what have you found out?
> > > > 
> > > > Kernel version 2.6.21 is rather old, like 8 years old!  You should
> > 
> > update
> > 
> > > > this
> > > > to a more recent kernel regardless, although I suspect that it is not
> > > > related
> > > > to your problem.
> > > > 
> > > > On Tuesday 21 Apr 2015 12:17:00 you wrote:
> > > > > Hi Mick,
> > > > > 
> > > > > Ok that help me to tab the issue but I would like to divide this
> > 
> > issue
> > 
> > > > into
> > > > 
> > > > > three,  for fixing it:
> > > > > 
> > > > > 1.* raccon:* As IKE is working all ok and IPSec is set to kernel,
> > > > > it
> > > > 
> > > > should
> > > > 
> > > > > not have any issue.
> > > > > and anyway its role is to keyexchange and not much into actual
> > > > > IPSec
> > 
> > ,
> > 
> > > > > which kernel has to do.
> > > > > 
> > > > > 2. *setkey :* SPD setting should be ok
> > > > > 
> > > > > 3. *linux Kernel: *IPSec setting of kernel should not be ok.
> > > > > 
> > > > > from my conclusion , it seems like I have something either missing
> > > > > or in error inside Linux kernel.
> > > > > As I know IPSec do not need any special routing to work.
> > > > > 
> > > > > Is my conclusion is correct ?
> > > > > 
> > > > > if yes then is there any document which says what detailed kernel
> > > > > modules needed for IPSec.
> > > > > like in netfilter mangle table needed ??
> > > > > 
> > > > > I am using linux kernel 2.6.21.x
> > > > > 
> > > > > 
> > > > > Thanks
> > > > > Jalindar
> > > > > 
> > > > > On Fri, Apr 10, 2015 at 3:50 AM, Mick <mic...@gm...>
> > 
> > wrote:
> > > > > > On Thursday 09 Apr 2015 10:03:19 you wrote:
> > > > > > > Hi Mick,
> > > > > > > 
> > > > > > > I tried your suggestion but result is same.
> > > > > > > 
> > > > > > > If there was setting issue then IPSec would not have worked at
> > 
> > all.
> > 
> > > > > > Not necessarily, it could work partially.  You could be
> > 
> > communicating
> > 
> > > > > > with the
> > > > > > gateway, but getting no further than that because the router does
> > 
> > not
> > 
> > > > > > forward
> > > > > > packets to the subnet behind it.
> > > > > > 
> > > > > > >  But it works. IPSec set to kernel. Lan devices can ping other
> > 
> > Lan
> > 
> > > > > > gateway,
> > > > > > 
> > > > > > >  like 192.168.8.100 can ping 192.168.1.254 and reverse. But
> > 
> > router
> > 
> > > > > > >  or LAN
> > > > > > > 
> > > > > > > PC can not ping to other LAN PC.
> > > > > > 
> > > > > > I understand.  You could check that ICMP packets actually leave
> > > > > > the router towards the LAN PCs behind it; i.e. that the router
> > 
> > processes
> > 
> > > > and
> > > > 
> > > > > > forwards incoming packets to PCs within its own LAN.  You can use
> > > > > > tcpdump or wireshark
> > > > > > for this.  You can also check if the LAN PCs receive these ICMP
> > > > > > packets and not respond to them, or if they do not receive them
> > > > > > at all.
> > > > > > 
> > > > > > > On Thu, Apr 9, 2015 at 2:03 PM, Mick
> > > > > > > <mic...@gm...>
> > > > 
> > > > wrote:
> > > > > > > > On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> > > > > > > > > Hi All,
> > > > > > > > > 
> > > > > > > > > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to
> > 
> > connect
> > 
> > > > two
> > > > 
> > > > > > LAN.
> > > > > > 
> > > > > > > > > LAN A and B.
> > > > > > > > > 
> > > > > > > > > Check the diagram for more details.
> > > > > > > > > My setting are as below.
> > > > > > > > > *Router A:*
> > > > > > > > > 
> > > > > > > > > # cat /etc/racoon.conf
> > > > > > > > > 
> > > > > > > > > path pre_shared_key "/etc/psk.txt" ;
> > > > > > > > > 
> > > > > > > > > listen {
> > > > > > > > > isakmp 1.2.3.4   ;
> > > > > > > > > strict_address ;
> > > > > > > > > 
> > > > > > > > >  }
> > > > > > > > > 
> > > > > > > > > remote 5.6.7.8 {
> > > > > > > > > 
> > > > > > > > >  exchange_mode main,base ;
> > > > > > > > >  lifetime time 12 hour ;
> > > > > > > > >  
> > > > > > > > >  proposal {
> > > > > > > > >  
> > > > > > > > >   encryption_algorithm 3des ;
> > > > > > > > >   hash_algorithm md5 ;
> > > > > > > > >   authentication_method pre_shared_key ;
> > > > > > > > >   dh_group 2 ;
> > > > > > > > >   
> > > > > > > > >   }
> > > > > > > > > 
> > > > > > > > > }
> > > > > > > > > 
> > > > > > > > > sainfo anonymous {
> > > > > > > > > 
> > > > > > > > > pfs_group 2 ;
> > > > > > > > > lifetime time 12 hour;
> > > > > > > > > encryption_algorithm 3des ;
> > > > > > > > > authentication_algorithm hmac_md5 ;
> > > > > > > > > compression_algorithm deflate ;
> > > > > > > > > 
> > > > > > > > > }
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > # cat /etc/setkey.conf
> > > > > > > > > 
> > > > > > > > > #!/sbin/setkey -f
> > > > > > > > > #flush SAD and SPD
> > > > > > > > > flush;
> > > > > > > > > spdflush;
> > > > > > > > > 
> > > > > > > > > #create polices from racoon
> > > > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > > > > > > > esp/tunnel/1.2.3.4  -5.6.7.8/require;
> > > > > > > > 
> > > > > > > > I assume this is a typo?  It should be:
> > > > > > > >   esp/tunnel/1.2.3.4-5.6.7.8/require;
> > > > > > > >   
> > > > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > > > > > > > esp/tunnel/5.6.7.8-1.2.3.4  /require;
> > > > > > > > 
> > > > > > > > This should also no have a space before "/require;"
> > > > > > > > 
> > > > > > > > > # cat /etc/psk.txt
> > > > > > > > > #IPv4 Address
> > > > > > > > > 5.6.7.8 123456789
> > > > > > > > > 
> > > > > > > > > *Router B:*
> > > > > > > > > 
> > > > > > > > > # cat /etc/racoon.conf  path pre_shared_key "/etc/psk.txt"
> > > > > > > > > ;
> > > > > > > > > 
> > > > > > > > > listen {
> > > > > > > > > isakmp 5.6.7.8   ;
> > > > > > > > > 
> > > > > > > > >  strict_address ;
> > > > > > > > >  }
> > > > > > > > > 
> > > > > > > > > remote 1.2.3.4 {
> > > > > > > > > 
> > > > > > > > >  exchange_mode main,base ;
> > > > > > > > > 
> > > > > > > > > lifetime time 12 hour ;
> > > > > > > > > 
> > > > > > > > >  proposal {
> > > > > > > > >  
> > > > > > > > >   encryption_algorithm 3des ;
> > > > > > > > >  
> > > > > > > > >  hash_algorithm md5 ;
> > > > > > > > >  authentication_method pre_shared_key ;
> > > > > > > > > 
> > > > > > > > > dh_group 2 ;
> > > > > > > > > 
> > > > > > > > >   }
> > > > > > > > >  
> > > > > > > > >  }
> > > > > > > > > 
> > > > > > > > > sainfo anonymous {
> > > > > > > > > 
> > > > > > > > > pfs_group 2 ;
> > > > > > > > > lifetime time 12 hour;
> > > > > > > > > 
> > > > > > > > >  encryption_algorithm 3des ;
> > > > > > > > > 
> > > > > > > > > authentication_algorithm hmac_md5 ;
> > > > > > > > > compression_algorithm deflate ;
> > > > > > > > > 
> > > > > > > > > }
> > > > > > > > > 
> > > > > > > > > # cat /etc/setkey.conf
> > > > > > > > > #!/sbin/setkey -f
> > > > > > > > > #flush SAD and SPD
> > > > > > > > > 
> > > > > > > > > flush;
> > > > > > > > > spdflush;
> > > > > > > > > 
> > > > > > > > > #create polices from racoon
> > > > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> > > > > > > > > esp/tunnel/5.6.7.8  -1.2.3.4/require;
> > > > > > > > 
> > > > > > > > Same as I commented above.
> > > > > > > > 
> > > > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> > > > > > > > > esp/tunnel/1.2.3.4-5.6.7.8  /require;
> > > > > > > > 
> > > > > > > > Same as I commented above.
> > > > > > > > 
> > > > > > > > > # cat /etc/psk.txt
> > > > > > > > > #IPv4 Address
> > > > > > > > > 1.2.3.4 123456789
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > Router A Lan
> > > > > > > > > 
> > > > > > > > >                                   Router B Lan
> > > > 
> > > > 192.168.1.0/24
> > > > 
> > > > > > > > > 192.168.8.0/24
> > > > > > > > > Gateway:
> > > > > > > > > 192.168.1.254
> > > > > > > > > Gateway:192.168.8.254
> > > > > > > > > 
> > > > > > > > >       |_|_|_|______*Router A
> > 
> > 1..2.3.4>>>>>internet<<<<<5.6.7.8
> > 
> > > > > > > > >       |Router B*
> > > > > > > > > 
> > > > > > > > > ______|_|_|_|
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > I can ping 192.168.1.254 gateway from 192.168.8.100  and
> > > > 
> > > > similarly
> > > > 
> > > > > > from
> > > > > > 
> > > > > > > > > other side LAN network PC.
> > > > > > > > > 
> > > > > > > > > I can ping 192.168.1.100 from 192.168.8.254 OK and
> > > > > > > > > similarly from
> > > > > > 
> > > > > > other
> > > > > > 
> > > > > > > > > side.
> > > > > > > > > 
> > > > > > > > > I can open router management server web page  from LAN PC
> > > > > > > > > at
> > > > 
> > > > other
> > > > 
> > > > > > LAN
> > > > > > 
> > > > > > > > > network.
> > > > > > > > > 
> > > > > > > > > But I can not ping 192.168.1.100 from 192.168.8.100 and
> > 
> > reverse
> > 
> > > > > > > > > way. only LAN gateways are reachable.
> > > > > > > > 
> > > > > > > > This statement contradicts the previous regarding what you
> > > > > > > > can ping and what
> > > > > > > > not.  I assume that you cannot ping 192.168.8.100 from
> > > > 
> > > > 192.168.1.100?
> > > > 
> > > > > > > > > where as whole LAN should be reachable from other LAN.
> > > > > > > > > 
> > > > > > > > > am I missing some setting ?
> > > > > > > > 
> > > > > > > > Check that Router B has been set up to allow ip forwarding;
> > 
> > e.g.
> > 
> > > > > > > > sysclt -a | grep eth0.forwarding
> > > > > > > > 
> > > > > > > > net.ipv4.conf.eth0.forwarding = 1
> > > > > > > > 
> > > > > > > > 
> > > > > > > > also check that the firewall on Router B is similarly allowed
> > 
> > to
> > 
> > > > > > forward
> > > > > > 
> > > > > > > > packets.
> > > > > > > > 
> > > > > > > > If not adjust accordingly.
> > > > > > > > 
> > > > > > > > --
> > > > > > > > Regards,
> > > > > > > > Mick
> > > > > > 
> > > > > > --
> > > > > > Regards,
> > > > > > Mick
> > > > 
> > > > --
> > > > Regards,
> > > > Mick
> > 
> > --
> > Regards,
> > Mick

-- 
Regards,
Mick

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: JALINDAR <jal...@gm...> - 2015-05-04 08:28:15

Hi Mick,

Thanks for your replay.

I did try adding forward policy in setkey but setkey output:

the result of line 14: File exists.

which is discussed here :

http://sourceforge.net/p/ipsec-tools/mailman/message/7608694/

but this did not give solution to absent forwarding policy in kernel.

Finally I get into the setkey source code, inside ipsec-tools and got that
setkey check for HAVE_POLICY_FWD pre processor flag to include some
forwarding policy source code.

Below Link for openwrt cross compilation completely in line with what I am
doing, cross
compiling setkey, and setkey do not find HAVE_POLICY_FWD flag and do not
include forwarding source
code into setkey.

https://dev.openwrt.org/ticket/14141


so solution mentioned here should help me in getting forwarding policy
into linux kernel and get tunnel working.

I am just copying the link above here in case that link goes dead in future
and people may need to hunt again to get solution.


****************************

Since ipsec-tools supports {Net,Free}BSD as well as Linux, and *BSD does
not define IPSEC_DIR_FWD, it attempts to detect via the configure script
the presence of IPSEC_DIR_FWD. The test is defined in configure.ac as:

AC_MSG_CHECKING(whether we support FWD policy)
case $host in

 *linux*)

 AC_TRY_COMPILE([
#include <inttypes.h>
#include <linux/ipsec.h>

 ], [
int fwd = IPSEC_DIR_FWD;
],
[AC_MSG_RESULT(yes)

 AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])],

 [AC_MSG_RESULT(no)])

 ;;

 *)

 AC_MSG_RESULT(no)
;;

 esac

In the current build environment, this test fails to compile, leading
configure to erroneously detect the lack of IPSEC_DIR_FWD. The resulting
setkey binary thus doesn't create "fwd" policies in the kernel, and the
kernel won't route traffic over ipsec tunnels.

Unconditionally enabling support for IPSEC_DIR_FWD fixes the problem. I did
this by replacing the above conditional with
AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])
in configure.ac. This isn't an appropriate permanent solution, but since
(AFAIK) OpenWRT doesn't support non-Linux kernels, it may be a reasonable
workaround.
 I'll attach the relevant bits from config.log showing this problem. It
looks like an issue with include paths, but I'm not sure what the right fix
would be.

***************************

I need to recompile everything and test with my setup but now hopes are
high that I got the issue exactly where it is.

This is just a log kind to help myself and others who get the similar bug
or still have some other good solution than above.



Best Regards
Jalindar




On Fri, May 1, 2015 at 2:16 PM, Mick <mic...@gm...> wrote:

> I see, you *have* to use 2.6.21 then.  :-(
>
> The URL you provided is correct, the IPSec keying daemon is supposed to
> create
> the forward policy.  There was an old bug in racoon where this policy would
> not be created:
>
>  https://bugzilla.redhat.com/show_bug.cgi?id=150179
>
> However, ipsec-tools 0.6.6 does not have this bug and should be creating
> the
> fwd policy.
>
> I can't recall if you tried to add fwd to your setkey policies manually?
> Can
> you please try this and check to see if the fwd policy is created?
>
> With regards to what is required in the kernel, check that these modules
> listed here are loaded:
>
>  http://www.ipsec-howto.org/x304.html
>
> Also check that NAT is enabled in the kernel.
>
>
> On Thursday 30 Apr 2015 11:21:47 you wrote:
> > Hi Mick,
> >
> > Reason to use 2.6.21 is that, this SDK only support 2.6.21 and it will be
> > very big task to  upgrade its kernel to latest one 3.2.x
> >
> > As I know 2.6.21 is also quite stable for IPSec function using
> ipsec-tools.
> > I used ipsec-tools 0.6.6 as it is stable for the ipsec tunnel function as
> > per
> > discussion on different forums with 2.6.21 kernel version otherwise I
> would
> > have used latest 0.8.2 ipsec-tools version.
> >
> > My SDK Linux kernel 2.6.21 netfilter module seems incomplete so I am now
> > using Ubuntu 12.04 as ipsec-tools server
> > to find issue and my test shows forwarding policy in Ubuntu and I can
> ping
> > LAN PC from router which was not
> > possible with two router so missing forwarding policy is the issue.
> >
> >
> > How to bring this forwarding policy ?
> > through kernel patch or is it ipsec-tools compile issue ?
> >
> > Like this discussion talks about such forwarding policy and
> > someone is saying ipsec-tool , racoon suppose to add this forwarding
> policy
> > to the kernel.
> >
> >
> http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-nee
> > ded-for-a-ipsec-tunnel
> >
> >
> > is that correct ?
> >
> > But this ipsec-tools 0.6.6 version already suppose to add forwarding
> policy
> > to kernel.
> >
> > is that case that racoon try to add but kernel has no support ??
> >
> > or
> >
> > ipsec-tools has configured without such option while configuring ??
> >
> > But setting forward policy function must be in ipesc-tools and should not
> > be  configurable.
> >
> > Now my task is to bring this forwarding policy anyway either patching or
> > reconfiguring Linux kernel 2.6.21
> > or patching or reconfiguration ipsec-tools 0.6.6.
> >
> > what do you think ?
> >
> > I read about netfilter types full cone, restricted cone, port restricted
> > cone..
> > will that be any issue ??
> >
> >
> > Thanks
> > Jalindar
> >
> > On Fri, Apr 24, 2015 at 4:59 AM, Mick <mic...@gm...> wrote:
> > > Hi Jalindar,
> > >
> > > Unless there is some specific reason which you have not shared, I
> > > recommend that you install more recent kernel and ipsec-tools versions
> > > and try again. Otherwise, you will wasting a lot of effort to fix
> > > problems that the later versions do not have.
> > >
> > > Specific comments included within your message below.
> > >
> > > On Wednesday 22 Apr 2015 08:05:01 JALINDAR wrote:
> > > > Hi Mick,
> > > >
> > > > Yes , I was suspecting regarding setkey policy setting. My check
> using
> > > > #setkey -DP find no forwarding policy.
> > > > But I think forwarding policy should be there,am I right ?
> > >
> > > Yes, it should.  If it doesn't then you should assume that your system
> is
> > > not
> > > working as intended.
> > >
> > > > At Router A :
> > > >
> > > > WAN INTERFACE :  192.168.3.11
> > > > WAN GATEWAY   :  192.168.3.10
> > > >
> > > > LAN    N/W ADDRESS : 192.168.1.0/24
> > > > LAN GATEWAY           : 192.168.1.254
> > > >
> > > > ##without racoon running
> > >
> > > Are you sure?  Without racoon running there should no policies present,
> > > unless
> > > they are some stale ones hanging around?
> > >
> > > > # setkey -DP
> > > > 192.168.8.0/24[any] <http://192.168.8.0/24%5Bany%5D>
> > > > 192.168.1.0/24[any]
> > >
> > > <http://192.168.1.0/24%5Bany%5D> any
> > >
> > > >         in prio def ipsec
> > > >         esp/tunnel/192.168.2.11-192.168.3.11/require
> > > >         created: Jan  1 00:35:55 2000  lastused:
> > > >         lifetime: 0(s) validtime: 0(s)
> > > >         spid=40 seq=1 pid=1948
> > > >         refcnt=1
> > > >
> > > > 192.168.1.0/24[any] <http://192.168.1.0/24%5Bany%5D>
> > > > 192.168.8.0/24[any]
> > >
> > > <http://192.168.8.0/24%5Bany%5D> any
> > >
> > > >         out prio def ipsec
> > > >         esp/tunnel/192.168.3.11-192.168.2.11/require
> > > >         created: Jan  1 00:35:55 2000  lastused:
> > > >         lifetime: 0(s) validtime: 0(s)
> > > >         spid=33 seq=0 pid=1948
> > > >         refcnt=1
> > > >
> > > > ##with racoon running
> > > >
> > > > # setkey -DP
> > > > 192.168.8.0/24[any] <http://192.168.8.0/24%5Bany%5D>
> > > > 192.168.1.0/24[any]
> > >
> > > <http://192.168.1.0/24%5Bany%5D> any
> > >
> > > >         in prio def ipsec
> > > >         esp/tunnel/192.168.2.11-192.168.3.11/require
> > > >         created: Jan  1 00:35:55 2000  lastused:
> > > >         lifetime: 0(s) validtime: 0(s)
> > > >         spid=40 seq=1 pid=2522
> > > >         refcnt=1
> > > >
> > > > 192.168.1.0/24[any] <http://192.168.1.0/24%5Bany%5D>
> > > > 192.168.8.0/24[any]
> > >
> > > <http://192.168.8.0/24%5Bany%5D> any
> > >
> > > >         out prio def ipsec
> > > >         esp/tunnel/192.168.3.11-192.168.2.11/require
> > > >         created: Jan  1 00:35:55 2000  lastused:
> > > >         lifetime: 0(s) validtime: 0(s)
> > > >         spid=33 seq=2 pid=2522
> > > >         refcnt=1
> > > >
> > > > (per-socket policy)
> > > >
> > > >         in none
> > > >         created: Jan  1 00:37:16 2000  lastused:
> > > >         lifetime: 0(s) validtime: 0(s)
> > > >         spid=51 seq=3 pid=2522
> > > >         refcnt=1
> > > >
> > > > (per-socket policy)
> > > >
> > > >         out none
> > > >         created: Jan  1 00:37:16 2000  lastused:
> > > >         lifetime: 0(s) validtime: 0(s)
> > > >         spid=60 seq=0 pid=2522
> > > >         refcnt=1
> > >
> > > You should definitely have a fwd SA present in there.  Your system is
> not
> > > working as it should.
> > >
> > > > For /etc/setkey.conf file below:
> > > >
> > > > # cat /etc/setkey.conf
> > > >
> > > > #!/sbin/setkey -f
> > > >
> > > > #flush SAD and SPD
> > > >
> > > > flush;
> > > >
> > > > spdflush;
> > > >
> > > >
> > > >
> > > > #create polices from racoon
> > > >
> > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > >
> > > > esp/tunnel/192.168.3.11-192.168.2.11/require;
> > >
> > > Put each directive on a single line;  i.e.
> > >
> > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec \
> > > esp/tunnel/192.168.3.11-192.168.2.11/require;
> > >
> > > (Where "\" indicates a line break to stop my mail client messing up the
> > > line
> > > wrapping around.  You should have both lines above on a single line in
> > > the configuration file.)
> > >
> > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > >
> > > > esp/tunnel/192.168.2.11-192.168.3.11/require;
> > > >
> > > > *I test using adding :*
> > > >
> > > > *spdadd 192.168.8.0/24 <http://192.168.8.0/24> 192.168.1.0/24
> > > > <http://192.168.1.0/24> any -P fwd ipsec*
> > > >
> > > > *esp/tunnel/192.168.2.11-192.168.3.11/require;*
> > > >
> > > > output of #setkey -f /etc/setkey.conf with forward policy is
> > > >
> > > > The result of line 14: File exists.
> > > >
> > > > this line 14 is second line of the forward policy added
> > > >
> > > >  But some documents like this one:
> > > > http://www.ipsec-howto.org/x304.html
> > > >
> > > > says :
> > > >
> > > > *Attention: When using the Linux kernel >= 2.6.10 you also have to
> > > > define the forward policy if packets need to be fowarded by the box.
> > > > Just make sure you use the ipsec-tools 0.5 which add this policy
> > > > automatically or
> > >
> > > add
> > >
> > > > it yourself if using older tools. If you are running setkey in
> > >
> > > Kernel-mode
> > >
> > > > (-k) you have to add the fwd-policy manually, too.*
> > >
> > > This page was written 10 years ago.  To save your time and effort I
> would
> > > strongly recommend that you install a recent kernel and a more up to
> date
> > > version of ipsec-tools.
> > >
> > > I run ipsec-tools-0.8.2 on a 3.18.11 kernel and I do not have such
> > > problems.
> > >
> > > > As I am using ipsec-tools 0.6.6 , I expect no need to include this
> > > > forward policy in setkey.
> > >
> > > Correct.  It should be created by your system when you ping the remote
> > > host and SAs are created, but it isn't being created, which indicates
> > > that your system is not working as it should.
> > >
> > > > but it is missing in #setkey -DP
> > > >
> > > > Anything wrong with setkey settings ??
> > >
> > > I can't see anything wrong with your settings.  The problem is with
> your
> > > kernel and potentially with the version of ipsec-tools.  Run the most
> > > recent
> > > version your distribution offers.
> > >
> > > > My packet scan is going on and I found ping from LAN PC goes to other
> > > > router(ESP packet) if
> > > >
> > > > I add:
> > > >
> > > > *#iptables -t NAT -I POSTROUTING --dst 192.168.8.0/24
> > > > <http://192.168.8.0/24> -j SNAT --to-source 192.168.1.254*
> > > >
> > > > in router with 192.168.1.254 LAN gateway and remote LAN address
> > > > 192.168.8.0/24 .
> > > >
> > > > that make me specious of my net-filter broken or not complete needed
> > > > for IPSec.
> > > >
> > > > is that correct ?
> > >
> > > You shouldn't need iptables to forward packets within the router's own
> > > subnet.
> > >
> > > > What is left is to check that:
> > > >
> > > > 1. ICMP packets are forwarded from the remote peer to the LAN PCs
> > > > behind it.
> > > >
> > > > >>ICMP packet goes to remote router from LAN PC but remote router do
> > > > >>not
> > > >
> > > > forward it to LAN
> > > > I can see ESP packet both direction but at LAN PC no ICMP response
> > >
> > > received
> > >
> > > > to request.
> > > >
> > > > How can I fix it ? is it router problem or IPSec or net-filter ?
> > > >
> > > > 2. That ICMP packets are received by the PCs in the remote LAN and
> > > > responded to.  These PCs may be have been configured to only respond
> to
> > > > ICMP requests from IP addresses in their own local subnet, or not
> > > > respond to ICMP packets at
> > > > all.
> > > >
> > > > >>ICMP packet is received by remote router but it do not forward it
> to
> > >
> > > LAN
> > >
> > > > PC.
> > > >
> > > > Thanks
> > > > Jalindar
> > > >
> > > > On Wed, Apr 22, 2015 at 3:08 AM, Mick <mic...@gm...>
> wrote:
> > > > > Yes, racoon and IPSec work fine, since you can establish a tunnel
> > >
> > > between
> > >
> > > > > the
> > > > > two peers.
> > > > >
> > > > > You can check that the ESP tunnel is configured correctly to
> connect
> > >
> > > the
> > >
> > > > > two
> > > > >
> > > > > LANs by studying the output of:
> > > > >  setkey -DP
> > > > >
> > > > > This should show SAs created for in/out/fwd.
> > > > >
> > > > > Also check the output of your syslog.
> > > > >
> > > > > Then from my previous suggestion you have checked that the kernel
> is
> > > > > configured to forward packets, according to sysctl.
> > > > >
> > > > > What is left is to check that:
> > > > >
> > > > > 1. ICMP packets are forwarded from the remote peer to the LAN PCs
> > >
> > > behind
> > >
> > > > > it.
> > > > >
> > > > > 2. That ICMP packets are received by the PCs in the remote LAN and
> > > > > responded
> > > > > to.  These PCs may be have been configured to only respond to ICMP
> > > > > requests from IP addresses in their own local subnet, or not
> respond
> > > > > to ICMP packets at
> > > > > all.
> > > > >
> > > > > Have you performed these checks and what have you found out?
> > > > >
> > > > > Kernel version 2.6.21 is rather old, like 8 years old!  You should
> > >
> > > update
> > >
> > > > > this
> > > > > to a more recent kernel regardless, although I suspect that it is
> not
> > > > > related
> > > > > to your problem.
> > > > >
> > > > > On Tuesday 21 Apr 2015 12:17:00 you wrote:
> > > > > > Hi Mick,
> > > > > >
> > > > > > Ok that help me to tab the issue but I would like to divide this
> > >
> > > issue
> > >
> > > > > into
> > > > >
> > > > > > three,  for fixing it:
> > > > > >
> > > > > > 1.* raccon:* As IKE is working all ok and IPSec is set to kernel,
> > > > > > it
> > > > >
> > > > > should
> > > > >
> > > > > > not have any issue.
> > > > > > and anyway its role is to keyexchange and not much into actual
> > > > > > IPSec
> > >
> > > ,
> > >
> > > > > > which kernel has to do.
> > > > > >
> > > > > > 2. *setkey :* SPD setting should be ok
> > > > > >
> > > > > > 3. *linux Kernel: *IPSec setting of kernel should not be ok.
> > > > > >
> > > > > > from my conclusion , it seems like I have something either
> missing
> > > > > > or in error inside Linux kernel.
> > > > > > As I know IPSec do not need any special routing to work.
> > > > > >
> > > > > > Is my conclusion is correct ?
> > > > > >
> > > > > > if yes then is there any document which says what detailed kernel
> > > > > > modules needed for IPSec.
> > > > > > like in netfilter mangle table needed ??
> > > > > >
> > > > > > I am using linux kernel 2.6.21.x
> > > > > >
> > > > > >
> > > > > > Thanks
> > > > > > Jalindar
> > > > > >
> > > > > > On Fri, Apr 10, 2015 at 3:50 AM, Mick <mic...@gm...
> >
> > >
> > > wrote:
> > > > > > > On Thursday 09 Apr 2015 10:03:19 you wrote:
> > > > > > > > Hi Mick,
> > > > > > > >
> > > > > > > > I tried your suggestion but result is same.
> > > > > > > >
> > > > > > > > If there was setting issue then IPSec would not have worked
> at
> > >
> > > all.
> > >
> > > > > > > Not necessarily, it could work partially.  You could be
> > >
> > > communicating
> > >
> > > > > > > with the
> > > > > > > gateway, but getting no further than that because the router
> does
> > >
> > > not
> > >
> > > > > > > forward
> > > > > > > packets to the subnet behind it.
> > > > > > >
> > > > > > > >  But it works. IPSec set to kernel. Lan devices can ping
> other
> > >
> > > Lan
> > >
> > > > > > > gateway,
> > > > > > >
> > > > > > > >  like 192.168.8.100 can ping 192.168.1.254 and reverse. But
> > >
> > > router
> > >
> > > > > > > >  or LAN
> > > > > > > >
> > > > > > > > PC can not ping to other LAN PC.
> > > > > > >
> > > > > > > I understand.  You could check that ICMP packets actually leave
> > > > > > > the router towards the LAN PCs behind it; i.e. that the router
> > >
> > > processes
> > >
> > > > > and
> > > > >
> > > > > > > forwards incoming packets to PCs within its own LAN.  You can
> use
> > > > > > > tcpdump or wireshark
> > > > > > > for this.  You can also check if the LAN PCs receive these ICMP
> > > > > > > packets and not respond to them, or if they do not receive them
> > > > > > > at all.
> > > > > > >
> > > > > > > > On Thu, Apr 9, 2015 at 2:03 PM, Mick
> > > > > > > > <mic...@gm...>
> > > > >
> > > > > wrote:
> > > > > > > > > On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> > > > > > > > > > Hi All,
> > > > > > > > > >
> > > > > > > > > > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to
> > >
> > > connect
> > >
> > > > > two
> > > > >
> > > > > > > LAN.
> > > > > > >
> > > > > > > > > > LAN A and B.
> > > > > > > > > >
> > > > > > > > > > Check the diagram for more details.
> > > > > > > > > > My setting are as below.
> > > > > > > > > > *Router A:*
> > > > > > > > > >
> > > > > > > > > > # cat /etc/racoon.conf
> > > > > > > > > >
> > > > > > > > > > path pre_shared_key "/etc/psk.txt" ;
> > > > > > > > > >
> > > > > > > > > > listen {
> > > > > > > > > > isakmp 1.2.3.4   ;
> > > > > > > > > > strict_address ;
> > > > > > > > > >
> > > > > > > > > >  }
> > > > > > > > > >
> > > > > > > > > > remote 5.6.7.8 {
> > > > > > > > > >
> > > > > > > > > >  exchange_mode main,base ;
> > > > > > > > > >  lifetime time 12 hour ;
> > > > > > > > > >
> > > > > > > > > >  proposal {
> > > > > > > > > >
> > > > > > > > > >   encryption_algorithm 3des ;
> > > > > > > > > >   hash_algorithm md5 ;
> > > > > > > > > >   authentication_method pre_shared_key ;
> > > > > > > > > >   dh_group 2 ;
> > > > > > > > > >
> > > > > > > > > >   }
> > > > > > > > > >
> > > > > > > > > > }
> > > > > > > > > >
> > > > > > > > > > sainfo anonymous {
> > > > > > > > > >
> > > > > > > > > > pfs_group 2 ;
> > > > > > > > > > lifetime time 12 hour;
> > > > > > > > > > encryption_algorithm 3des ;
> > > > > > > > > > authentication_algorithm hmac_md5 ;
> > > > > > > > > > compression_algorithm deflate ;
> > > > > > > > > >
> > > > > > > > > > }
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > # cat /etc/setkey.conf
> > > > > > > > > >
> > > > > > > > > > #!/sbin/setkey -f
> > > > > > > > > > #flush SAD and SPD
> > > > > > > > > > flush;
> > > > > > > > > > spdflush;
> > > > > > > > > >
> > > > > > > > > > #create polices from racoon
> > > > > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > > > > > > > > esp/tunnel/1.2.3.4  -5.6.7.8/require;
> > > > > > > > >
> > > > > > > > > I assume this is a typo?  It should be:
> > > > > > > > >   esp/tunnel/1.2.3.4-5.6.7.8/require;
> > > > > > > > >
> > > > > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > > > > > > > > esp/tunnel/5.6.7.8-1.2.3.4  /require;
> > > > > > > > >
> > > > > > > > > This should also no have a space before "/require;"
> > > > > > > > >
> > > > > > > > > > # cat /etc/psk.txt
> > > > > > > > > > #IPv4 Address
> > > > > > > > > > 5.6.7.8 123456789
> > > > > > > > > >
> > > > > > > > > > *Router B:*
> > > > > > > > > >
> > > > > > > > > > # cat /etc/racoon.conf  path pre_shared_key
> "/etc/psk.txt"
> > > > > > > > > > ;
> > > > > > > > > >
> > > > > > > > > > listen {
> > > > > > > > > > isakmp 5.6.7.8   ;
> > > > > > > > > >
> > > > > > > > > >  strict_address ;
> > > > > > > > > >  }
> > > > > > > > > >
> > > > > > > > > > remote 1.2.3.4 {
> > > > > > > > > >
> > > > > > > > > >  exchange_mode main,base ;
> > > > > > > > > >
> > > > > > > > > > lifetime time 12 hour ;
> > > > > > > > > >
> > > > > > > > > >  proposal {
> > > > > > > > > >
> > > > > > > > > >   encryption_algorithm 3des ;
> > > > > > > > > >
> > > > > > > > > >  hash_algorithm md5 ;
> > > > > > > > > >  authentication_method pre_shared_key ;
> > > > > > > > > >
> > > > > > > > > > dh_group 2 ;
> > > > > > > > > >
> > > > > > > > > >   }
> > > > > > > > > >
> > > > > > > > > >  }
> > > > > > > > > >
> > > > > > > > > > sainfo anonymous {
> > > > > > > > > >
> > > > > > > > > > pfs_group 2 ;
> > > > > > > > > > lifetime time 12 hour;
> > > > > > > > > >
> > > > > > > > > >  encryption_algorithm 3des ;
> > > > > > > > > >
> > > > > > > > > > authentication_algorithm hmac_md5 ;
> > > > > > > > > > compression_algorithm deflate ;
> > > > > > > > > >
> > > > > > > > > > }
> > > > > > > > > >
> > > > > > > > > > # cat /etc/setkey.conf
> > > > > > > > > > #!/sbin/setkey -f
> > > > > > > > > > #flush SAD and SPD
> > > > > > > > > >
> > > > > > > > > > flush;
> > > > > > > > > > spdflush;
> > > > > > > > > >
> > > > > > > > > > #create polices from racoon
> > > > > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> > > > > > > > > > esp/tunnel/5.6.7.8  -1.2.3.4/require;
> > > > > > > > >
> > > > > > > > > Same as I commented above.
> > > > > > > > >
> > > > > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> > > > > > > > > > esp/tunnel/1.2.3.4-5.6.7.8  /require;
> > > > > > > > >
> > > > > > > > > Same as I commented above.
> > > > > > > > >
> > > > > > > > > > # cat /etc/psk.txt
> > > > > > > > > > #IPv4 Address
> > > > > > > > > > 1.2.3.4 123456789
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Router A Lan
> > > > > > > > > >
> > > > > > > > > >                                   Router B Lan
> > > > >
> > > > > 192.168.1.0/24
> > > > >
> > > > > > > > > > 192.168.8.0/24
> > > > > > > > > > Gateway:
> > > > > > > > > > 192.168.1.254
> > > > > > > > > > Gateway:192.168.8.254
> > > > > > > > > >
> > > > > > > > > >       |_|_|_|______*Router A
> > >
> > > 1..2.3.4>>>>>internet<<<<<5.6.7.8
> > >
> > > > > > > > > >       |Router B*
> > > > > > > > > >
> > > > > > > > > > ______|_|_|_|
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I can ping 192.168.1.254 gateway from 192.168.8.100  and
> > > > >
> > > > > similarly
> > > > >
> > > > > > > from
> > > > > > >
> > > > > > > > > > other side LAN network PC.
> > > > > > > > > >
> > > > > > > > > > I can ping 192.168.1.100 from 192.168.8.254 OK and
> > > > > > > > > > similarly from
> > > > > > >
> > > > > > > other
> > > > > > >
> > > > > > > > > > side.
> > > > > > > > > >
> > > > > > > > > > I can open router management server web page  from LAN PC
> > > > > > > > > > at
> > > > >
> > > > > other
> > > > >
> > > > > > > LAN
> > > > > > >
> > > > > > > > > > network.
> > > > > > > > > >
> > > > > > > > > > But I can not ping 192.168.1.100 from 192.168.8.100 and
> > >
> > > reverse
> > >
> > > > > > > > > > way. only LAN gateways are reachable.
> > > > > > > > >
> > > > > > > > > This statement contradicts the previous regarding what you
> > > > > > > > > can ping and what
> > > > > > > > > not.  I assume that you cannot ping 192.168.8.100 from
> > > > >
> > > > > 192.168.1.100?
> > > > >
> > > > > > > > > > where as whole LAN should be reachable from other LAN.
> > > > > > > > > >
> > > > > > > > > > am I missing some setting ?
> > > > > > > > >
> > > > > > > > > Check that Router B has been set up to allow ip forwarding;
> > >
> > > e.g.
> > >
> > > > > > > > > sysclt -a | grep eth0.forwarding
> > > > > > > > >
> > > > > > > > > net.ipv4.conf.eth0.forwarding = 1
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > also check that the firewall on Router B is similarly
> allowed
> > >
> > > to
> > >
> > > > > > > forward
> > > > > > >
> > > > > > > > > packets.
> > > > > > > > >
> > > > > > > > > If not adjust accordingly.
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Regards,
> > > > > > > > > Mick
> > > > > > >
> > > > > > > --
> > > > > > > Regards,
> > > > > > > Mick
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Mick
> > >
> > > --
> > > Regards,
> > > Mick
>
> --
> Regards,
> Mick
>

Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21

From: Mick <mic...@gm...> - 2015-05-04 09:56:07

Attachments: signature.asc

Glad you got it working, but wouldn't be easier to install a more recent 
version of ipsec-tools so that setkey's configure.ac is correct without having 
to patch and recompile it manually?


On Monday 04 May 2015 09:27:25 you wrote:
> Hi Mick,
> 
> Thanks for your replay.
> 
> I did try adding forward policy in setkey but setkey output:
> 
> the result of line 14: File exists.
> 
> which is discussed here :
> 
> http://sourceforge.net/p/ipsec-tools/mailman/message/7608694/
> 
> but this did not give solution to absent forwarding policy in kernel.
> 
> Finally I get into the setkey source code, inside ipsec-tools and got that
> setkey check for HAVE_POLICY_FWD pre processor flag to include some
> forwarding policy source code.
> 
> Below Link for openwrt cross compilation completely in line with what I am
> doing, cross
> compiling setkey, and setkey do not find HAVE_POLICY_FWD flag and do not
> include forwarding source
> code into setkey.
> 
> https://dev.openwrt.org/ticket/14141
> 
> 
> so solution mentioned here should help me in getting forwarding policy
> into linux kernel and get tunnel working.
> 
> I am just copying the link above here in case that link goes dead in future
> and people may need to hunt again to get solution.
> 
> 
> ****************************
> 
> Since ipsec-tools supports {Net,Free}BSD as well as Linux, and *BSD does
> not define IPSEC_DIR_FWD, it attempts to detect via the configure script
> the presence of IPSEC_DIR_FWD. The test is defined in configure.ac as:
> 
> AC_MSG_CHECKING(whether we support FWD policy)
> case $host in
> 
>  *linux*)
> 
>  AC_TRY_COMPILE([
> #include <inttypes.h>
> #include <linux/ipsec.h>
> 
>  ], [
> int fwd = IPSEC_DIR_FWD;
> ],
> [AC_MSG_RESULT(yes)
> 
>  AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])],
> 
>  [AC_MSG_RESULT(no)])
> 
>  ;;
> 
>  *)
> 
>  AC_MSG_RESULT(no)
> ;;
> 
>  esac
> 
> In the current build environment, this test fails to compile, leading
> configure to erroneously detect the lack of IPSEC_DIR_FWD. The resulting
> setkey binary thus doesn't create "fwd" policies in the kernel, and the
> kernel won't route traffic over ipsec tunnels.
> 
> Unconditionally enabling support for IPSEC_DIR_FWD fixes the problem. I did
> this by replacing the above conditional with
> AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])
> in configure.ac. This isn't an appropriate permanent solution, but since
> (AFAIK) OpenWRT doesn't support non-Linux kernels, it may be a reasonable
> workaround.
>  I'll attach the relevant bits from config.log showing this problem. It
> looks like an issue with include paths, but I'm not sure what the right fix
> would be.
> 
> ***************************
> 
> I need to recompile everything and test with my setup but now hopes are
> high that I got the issue exactly where it is.
> 
> This is just a log kind to help myself and others who get the similar bug
> or still have some other good solution than above.
> 
> 
> 
> Best Regards
> Jalindar
> 
> On Fri, May 1, 2015 at 2:16 PM, Mick <mic...@gm...> wrote:
> > I see, you *have* to use 2.6.21 then.  :-(
> > 
> > The URL you provided is correct, the IPSec keying daemon is supposed to
> > create
> > the forward policy.  There was an old bug in racoon where this policy
> > would
> > 
> > not be created:
> >  https://bugzilla.redhat.com/show_bug.cgi?id=150179
> > 
> > However, ipsec-tools 0.6.6 does not have this bug and should be creating
> > the
> > fwd policy.
> > 
> > I can't recall if you tried to add fwd to your setkey policies manually?
> > Can
> > you please try this and check to see if the fwd policy is created?
> > 
> > With regards to what is required in the kernel, check that these modules
> > 
> > listed here are loaded:
> >  http://www.ipsec-howto.org/x304.html
> > 
> > Also check that NAT is enabled in the kernel.
> > 
> > On Thursday 30 Apr 2015 11:21:47 you wrote:
> > > Hi Mick,
> > > 
> > > Reason to use 2.6.21 is that, this SDK only support 2.6.21 and it will
> > > be very big task to  upgrade its kernel to latest one 3.2.x
> > > 
> > > As I know 2.6.21 is also quite stable for IPSec function using
> > 
> > ipsec-tools.
> > 
> > > I used ipsec-tools 0.6.6 as it is stable for the ipsec tunnel function
> > > as per
> > > discussion on different forums with 2.6.21 kernel version otherwise I
> > 
> > would
> > 
> > > have used latest 0.8.2 ipsec-tools version.
> > > 
> > > My SDK Linux kernel 2.6.21 netfilter module seems incomplete so I am
> > > now using Ubuntu 12.04 as ipsec-tools server
> > > to find issue and my test shows forwarding policy in Ubuntu and I can
> > 
> > ping
> > 
> > > LAN PC from router which was not
> > > possible with two router so missing forwarding policy is the issue.
> > > 
> > > 
> > > How to bring this forwarding policy ?
> > > through kernel patch or is it ipsec-tools compile issue ?
> > > 
> > > Like this discussion talks about such forwarding policy and
> > > someone is saying ipsec-tool , racoon suppose to add this forwarding
> > 
> > policy
> > 
> > > to the kernel.
> > 
> > http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-n
> > ee
> > 
> > > ded-for-a-ipsec-tunnel
> > > 
> > > 
> > > is that correct ?
> > > 
> > > But this ipsec-tools 0.6.6 version already suppose to add forwarding
> > 
> > policy
> > 
> > > to kernel.
> > > 
> > > is that case that racoon try to add but kernel has no support ??
> > > 
> > > or
> > > 
> > > ipsec-tools has configured without such option while configuring ??
> > > 
> > > But setting forward policy function must be in ipesc-tools and should
> > > not be  configurable.
> > > 
> > > Now my task is to bring this forwarding policy anyway either patching
> > > or reconfiguring Linux kernel 2.6.21
> > > or patching or reconfiguration ipsec-tools 0.6.6.
> > > 
> > > what do you think ?
> > > 
> > > I read about netfilter types full cone, restricted cone, port
> > > restricted cone..
> > > will that be any issue ??
> > > 
> > > 
> > > Thanks
> > > Jalindar
> > > 
> > > On Fri, Apr 24, 2015 at 4:59 AM, Mick <mic...@gm...> wrote:
> > > > Hi Jalindar,
> > > > 
> > > > Unless there is some specific reason which you have not shared, I
> > > > recommend that you install more recent kernel and ipsec-tools
> > > > versions and try again. Otherwise, you will wasting a lot of effort
> > > > to fix problems that the later versions do not have.
> > > > 
> > > > Specific comments included within your message below.
> > > > 
> > > > On Wednesday 22 Apr 2015 08:05:01 JALINDAR wrote:
> > > > > Hi Mick,
> > > > > 
> > > > > Yes , I was suspecting regarding setkey policy setting. My check
> > 
> > using
> > 
> > > > > #setkey -DP find no forwarding policy.
> > > > > But I think forwarding policy should be there,am I right ?
> > > > 
> > > > Yes, it should.  If it doesn't then you should assume that your
> > > > system
> > 
> > is
> > 
> > > > not
> > > > working as intended.
> > > > 
> > > > > At Router A :
> > > > > 
> > > > > WAN INTERFACE :  192.168.3.11
> > > > > WAN GATEWAY   :  192.168.3.10
> > > > > 
> > > > > LAN    N/W ADDRESS : 192.168.1.0/24
> > > > > LAN GATEWAY           : 192.168.1.254
> > > > > 
> > > > > ##without racoon running
> > > > 
> > > > Are you sure?  Without racoon running there should no policies
> > > > present, unless
> > > > they are some stale ones hanging around?
> > > > 
> > > > > # setkey -DP
> > > > > 192.168.8.0/24[any] <http://192.168.8.0/24%5Bany%5D>
> > > > > 192.168.1.0/24[any]
> > > > 
> > > > <http://192.168.1.0/24%5Bany%5D> any
> > > > 
> > > > >         in prio def ipsec
> > > > >         esp/tunnel/192.168.2.11-192.168.3.11/require
> > > > >         created: Jan  1 00:35:55 2000  lastused:
> > > > >         lifetime: 0(s) validtime: 0(s)
> > > > >         spid=40 seq=1 pid=1948
> > > > >         refcnt=1
> > > > > 
> > > > > 192.168.1.0/24[any] <http://192.168.1.0/24%5Bany%5D>
> > > > > 192.168.8.0/24[any]
> > > > 
> > > > <http://192.168.8.0/24%5Bany%5D> any
> > > > 
> > > > >         out prio def ipsec
> > > > >         esp/tunnel/192.168.3.11-192.168.2.11/require
> > > > >         created: Jan  1 00:35:55 2000  lastused:
> > > > >         lifetime: 0(s) validtime: 0(s)
> > > > >         spid=33 seq=0 pid=1948
> > > > >         refcnt=1
> > > > > 
> > > > > ##with racoon running
> > > > > 
> > > > > # setkey -DP
> > > > > 192.168.8.0/24[any] <http://192.168.8.0/24%5Bany%5D>
> > > > > 192.168.1.0/24[any]
> > > > 
> > > > <http://192.168.1.0/24%5Bany%5D> any
> > > > 
> > > > >         in prio def ipsec
> > > > >         esp/tunnel/192.168.2.11-192.168.3.11/require
> > > > >         created: Jan  1 00:35:55 2000  lastused:
> > > > >         lifetime: 0(s) validtime: 0(s)
> > > > >         spid=40 seq=1 pid=2522
> > > > >         refcnt=1
> > > > > 
> > > > > 192.168.1.0/24[any] <http://192.168.1.0/24%5Bany%5D>
> > > > > 192.168.8.0/24[any]
> > > > 
> > > > <http://192.168.8.0/24%5Bany%5D> any
> > > > 
> > > > >         out prio def ipsec
> > > > >         esp/tunnel/192.168.3.11-192.168.2.11/require
> > > > >         created: Jan  1 00:35:55 2000  lastused:
> > > > >         lifetime: 0(s) validtime: 0(s)
> > > > >         spid=33 seq=2 pid=2522
> > > > >         refcnt=1
> > > > > 
> > > > > (per-socket policy)
> > > > > 
> > > > >         in none
> > > > >         created: Jan  1 00:37:16 2000  lastused:
> > > > >         lifetime: 0(s) validtime: 0(s)
> > > > >         spid=51 seq=3 pid=2522
> > > > >         refcnt=1
> > > > > 
> > > > > (per-socket policy)
> > > > > 
> > > > >         out none
> > > > >         created: Jan  1 00:37:16 2000  lastused:
> > > > >         lifetime: 0(s) validtime: 0(s)
> > > > >         spid=60 seq=0 pid=2522
> > > > >         refcnt=1
> > > > 
> > > > You should definitely have a fwd SA present in there.  Your system is
> > 
> > not
> > 
> > > > working as it should.
> > > > 
> > > > > For /etc/setkey.conf file below:
> > > > > 
> > > > > # cat /etc/setkey.conf
> > > > > 
> > > > > #!/sbin/setkey -f
> > > > > 
> > > > > #flush SAD and SPD
> > > > > 
> > > > > flush;
> > > > > 
> > > > > spdflush;
> > > > > 
> > > > > 
> > > > > 
> > > > > #create polices from racoon
> > > > > 
> > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > > > 
> > > > > esp/tunnel/192.168.3.11-192.168.2.11/require;
> > > > 
> > > > Put each directive on a single line;  i.e.
> > > > 
> > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec \
> > > > esp/tunnel/192.168.3.11-192.168.2.11/require;
> > > > 
> > > > (Where "\" indicates a line break to stop my mail client messing up
> > > > the line
> > > > wrapping around.  You should have both lines above on a single line
> > > > in the configuration file.)
> > > > 
> > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > > > 
> > > > > esp/tunnel/192.168.2.11-192.168.3.11/require;
> > > > > 
> > > > > *I test using adding :*
> > > > > 
> > > > > *spdadd 192.168.8.0/24 <http://192.168.8.0/24> 192.168.1.0/24
> > > > > <http://192.168.1.0/24> any -P fwd ipsec*
> > > > > 
> > > > > *esp/tunnel/192.168.2.11-192.168.3.11/require;*
> > > > > 
> > > > > output of #setkey -f /etc/setkey.conf with forward policy is
> > > > > 
> > > > > The result of line 14: File exists.
> > > > > 
> > > > > this line 14 is second line of the forward policy added
> > > > > 
> > > > >  But some documents like this one:
> > > > > http://www.ipsec-howto.org/x304.html
> > > > > 
> > > > > says :
> > > > > 
> > > > > *Attention: When using the Linux kernel >= 2.6.10 you also have to
> > > > > define the forward policy if packets need to be fowarded by the
> > > > > box. Just make sure you use the ipsec-tools 0.5 which add this
> > > > > policy automatically or
> > > > 
> > > > add
> > > > 
> > > > > it yourself if using older tools. If you are running setkey in
> > > > 
> > > > Kernel-mode
> > > > 
> > > > > (-k) you have to add the fwd-policy manually, too.*
> > > > 
> > > > This page was written 10 years ago.  To save your time and effort I
> > 
> > would
> > 
> > > > strongly recommend that you install a recent kernel and a more up to
> > 
> > date
> > 
> > > > version of ipsec-tools.
> > > > 
> > > > I run ipsec-tools-0.8.2 on a 3.18.11 kernel and I do not have such
> > > > problems.
> > > > 
> > > > > As I am using ipsec-tools 0.6.6 , I expect no need to include this
> > > > > forward policy in setkey.
> > > > 
> > > > Correct.  It should be created by your system when you ping the
> > > > remote host and SAs are created, but it isn't being created, which
> > > > indicates that your system is not working as it should.
> > > > 
> > > > > but it is missing in #setkey -DP
> > > > > 
> > > > > Anything wrong with setkey settings ??
> > > > 
> > > > I can't see anything wrong with your settings.  The problem is with
> > 
> > your
> > 
> > > > kernel and potentially with the version of ipsec-tools.  Run the most
> > > > recent
> > > > version your distribution offers.
> > > > 
> > > > > My packet scan is going on and I found ping from LAN PC goes to
> > > > > other router(ESP packet) if
> > > > > 
> > > > > I add:
> > > > > 
> > > > > *#iptables -t NAT -I POSTROUTING --dst 192.168.8.0/24
> > > > > <http://192.168.8.0/24> -j SNAT --to-source 192.168.1.254*
> > > > > 
> > > > > in router with 192.168.1.254 LAN gateway and remote LAN address
> > > > > 192.168.8.0/24 .
> > > > > 
> > > > > that make me specious of my net-filter broken or not complete
> > > > > needed for IPSec.
> > > > > 
> > > > > is that correct ?
> > > > 
> > > > You shouldn't need iptables to forward packets within the router's
> > > > own subnet.
> > > > 
> > > > > What is left is to check that:
> > > > > 
> > > > > 1. ICMP packets are forwarded from the remote peer to the LAN PCs
> > > > > behind it.
> > > > > 
> > > > > >>ICMP packet goes to remote router from LAN PC but remote router
> > > > > >>do not
> > > > > 
> > > > > forward it to LAN
> > > > > I can see ESP packet both direction but at LAN PC no ICMP response
> > > > 
> > > > received
> > > > 
> > > > > to request.
> > > > > 
> > > > > How can I fix it ? is it router problem or IPSec or net-filter ?
> > > > > 
> > > > > 2. That ICMP packets are received by the PCs in the remote LAN and
> > > > > responded to.  These PCs may be have been configured to only
> > > > > respond
> > 
> > to
> > 
> > > > > ICMP requests from IP addresses in their own local subnet, or not
> > > > > respond to ICMP packets at
> > > > > all.
> > > > > 
> > > > > >>ICMP packet is received by remote router but it do not forward it
> > 
> > to
> > 
> > > > LAN
> > > > 
> > > > > PC.
> > > > > 
> > > > > Thanks
> > > > > Jalindar
> > > > > 
> > > > > On Wed, Apr 22, 2015 at 3:08 AM, Mick <mic...@gm...>
> > 
> > wrote:
> > > > > > Yes, racoon and IPSec work fine, since you can establish a tunnel
> > > > 
> > > > between
> > > > 
> > > > > > the
> > > > > > two peers.
> > > > > > 
> > > > > > You can check that the ESP tunnel is configured correctly to
> > 
> > connect
> > 
> > > > the
> > > > 
> > > > > > two
> > > > > > 
> > > > > > LANs by studying the output of:
> > > > > >  setkey -DP
> > > > > > 
> > > > > > This should show SAs created for in/out/fwd.
> > > > > > 
> > > > > > Also check the output of your syslog.
> > > > > > 
> > > > > > Then from my previous suggestion you have checked that the kernel
> > 
> > is
> > 
> > > > > > configured to forward packets, according to sysctl.
> > > > > > 
> > > > > > What is left is to check that:
> > > > > > 
> > > > > > 1. ICMP packets are forwarded from the remote peer to the LAN PCs
> > > > 
> > > > behind
> > > > 
> > > > > > it.
> > > > > > 
> > > > > > 2. That ICMP packets are received by the PCs in the remote LAN
> > > > > > and responded
> > > > > > to.  These PCs may be have been configured to only respond to
> > > > > > ICMP requests from IP addresses in their own local subnet, or
> > > > > > not
> > 
> > respond
> > 
> > > > > > to ICMP packets at
> > > > > > all.
> > > > > > 
> > > > > > Have you performed these checks and what have you found out?
> > > > > > 
> > > > > > Kernel version 2.6.21 is rather old, like 8 years old!  You
> > > > > > should
> > > > 
> > > > update
> > > > 
> > > > > > this
> > > > > > to a more recent kernel regardless, although I suspect that it is
> > 
> > not
> > 
> > > > > > related
> > > > > > to your problem.
> > > > > > 
> > > > > > On Tuesday 21 Apr 2015 12:17:00 you wrote:
> > > > > > > Hi Mick,
> > > > > > > 
> > > > > > > Ok that help me to tab the issue but I would like to divide
> > > > > > > this
> > > > 
> > > > issue
> > > > 
> > > > > > into
> > > > > > 
> > > > > > > three,  for fixing it:
> > > > > > > 
> > > > > > > 1.* raccon:* As IKE is working all ok and IPSec is set to
> > > > > > > kernel, it
> > > > > > 
> > > > > > should
> > > > > > 
> > > > > > > not have any issue.
> > > > > > > and anyway its role is to keyexchange and not much into actual
> > > > > > > IPSec
> > > > 
> > > > ,
> > > > 
> > > > > > > which kernel has to do.
> > > > > > > 
> > > > > > > 2. *setkey :* SPD setting should be ok
> > > > > > > 
> > > > > > > 3. *linux Kernel: *IPSec setting of kernel should not be ok.
> > > > > > > 
> > > > > > > from my conclusion , it seems like I have something either
> > 
> > missing
> > 
> > > > > > > or in error inside Linux kernel.
> > > > > > > As I know IPSec do not need any special routing to work.
> > > > > > > 
> > > > > > > Is my conclusion is correct ?
> > > > > > > 
> > > > > > > if yes then is there any document which says what detailed
> > > > > > > kernel modules needed for IPSec.
> > > > > > > like in netfilter mangle table needed ??
> > > > > > > 
> > > > > > > I am using linux kernel 2.6.21.x
> > > > > > > 
> > > > > > > 
> > > > > > > Thanks
> > > > > > > Jalindar
> > > > > > > 
> > > > > > > On Fri, Apr 10, 2015 at 3:50 AM, Mick
> > > > > > > <mic...@gm...
> > > > 
> > > > wrote:
> > > > > > > > On Thursday 09 Apr 2015 10:03:19 you wrote:
> > > > > > > > > Hi Mick,
> > > > > > > > > 
> > > > > > > > > I tried your suggestion but result is same.
> > > > > > > > > 
> > > > > > > > > If there was setting issue then IPSec would not have worked
> > 
> > at
> > 
> > > > all.
> > > > 
> > > > > > > > Not necessarily, it could work partially.  You could be
> > > > 
> > > > communicating
> > > > 
> > > > > > > > with the
> > > > > > > > gateway, but getting no further than that because the router
> > 
> > does
> > 
> > > > not
> > > > 
> > > > > > > > forward
> > > > > > > > packets to the subnet behind it.
> > > > > > > > 
> > > > > > > > >  But it works. IPSec set to kernel. Lan devices can ping
> > 
> > other
> > 
> > > > Lan
> > > > 
> > > > > > > > gateway,
> > > > > > > > 
> > > > > > > > >  like 192.168.8.100 can ping 192.168.1.254 and reverse. But
> > > > 
> > > > router
> > > > 
> > > > > > > > >  or LAN
> > > > > > > > > 
> > > > > > > > > PC can not ping to other LAN PC.
> > > > > > > > 
> > > > > > > > I understand.  You could check that ICMP packets actually
> > > > > > > > leave the router towards the LAN PCs behind it; i.e. that
> > > > > > > > the router
> > > > 
> > > > processes
> > > > 
> > > > > > and
> > > > > > 
> > > > > > > > forwards incoming packets to PCs within its own LAN.  You can
> > 
> > use
> > 
> > > > > > > > tcpdump or wireshark
> > > > > > > > for this.  You can also check if the LAN PCs receive these
> > > > > > > > ICMP packets and not respond to them, or if they do not
> > > > > > > > receive them at all.
> > > > > > > > 
> > > > > > > > > On Thu, Apr 9, 2015 at 2:03 PM, Mick
> > > > > > > > > <mic...@gm...>
> > > > > > 
> > > > > > wrote:
> > > > > > > > > > On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote:
> > > > > > > > > > > Hi All,
> > > > > > > > > > > 
> > > > > > > > > > > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to
> > > > 
> > > > connect
> > > > 
> > > > > > two
> > > > > > 
> > > > > > > > LAN.
> > > > > > > > 
> > > > > > > > > > > LAN A and B.
> > > > > > > > > > > 
> > > > > > > > > > > Check the diagram for more details.
> > > > > > > > > > > My setting are as below.
> > > > > > > > > > > *Router A:*
> > > > > > > > > > > 
> > > > > > > > > > > # cat /etc/racoon.conf
> > > > > > > > > > > 
> > > > > > > > > > > path pre_shared_key "/etc/psk.txt" ;
> > > > > > > > > > > 
> > > > > > > > > > > listen {
> > > > > > > > > > > isakmp 1.2.3.4   ;
> > > > > > > > > > > strict_address ;
> > > > > > > > > > > 
> > > > > > > > > > >  }
> > > > > > > > > > > 
> > > > > > > > > > > remote 5.6.7.8 {
> > > > > > > > > > > 
> > > > > > > > > > >  exchange_mode main,base ;
> > > > > > > > > > >  lifetime time 12 hour ;
> > > > > > > > > > >  
> > > > > > > > > > >  proposal {
> > > > > > > > > > >  
> > > > > > > > > > >   encryption_algorithm 3des ;
> > > > > > > > > > >   hash_algorithm md5 ;
> > > > > > > > > > >   authentication_method pre_shared_key ;
> > > > > > > > > > >   dh_group 2 ;
> > > > > > > > > > >   
> > > > > > > > > > >   }
> > > > > > > > > > > 
> > > > > > > > > > > }
> > > > > > > > > > > 
> > > > > > > > > > > sainfo anonymous {
> > > > > > > > > > > 
> > > > > > > > > > > pfs_group 2 ;
> > > > > > > > > > > lifetime time 12 hour;
> > > > > > > > > > > encryption_algorithm 3des ;
> > > > > > > > > > > authentication_algorithm hmac_md5 ;
> > > > > > > > > > > compression_algorithm deflate ;
> > > > > > > > > > > 
> > > > > > > > > > > }
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > # cat /etc/setkey.conf
> > > > > > > > > > > 
> > > > > > > > > > > #!/sbin/setkey -f
> > > > > > > > > > > #flush SAD and SPD
> > > > > > > > > > > flush;
> > > > > > > > > > > spdflush;
> > > > > > > > > > > 
> > > > > > > > > > > #create polices from racoon
> > > > > > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec
> > > > > > > > > > > esp/tunnel/1.2.3.4  -5.6.7.8/require;
> > > > > > > > > > 
> > > > > > > > > > I assume this is a typo?  It should be:
> > > > > > > > > >   esp/tunnel/1.2.3.4-5.6.7.8/require;
> > > > > > > > > >   
> > > > > > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec
> > > > > > > > > > > esp/tunnel/5.6.7.8-1.2.3.4  /require;
> > > > > > > > > > 
> > > > > > > > > > This should also no have a space before "/require;"
> > > > > > > > > > 
> > > > > > > > > > > # cat /etc/psk.txt
> > > > > > > > > > > #IPv4 Address
> > > > > > > > > > > 5.6.7.8 123456789
> > > > > > > > > > > 
> > > > > > > > > > > *Router B:*
> > > > > > > > > > > 
> > > > > > > > > > > # cat /etc/racoon.conf  path pre_shared_key
> > 
> > "/etc/psk.txt"
> > 
> > > > > > > > > > > ;
> > > > > > > > > > > 
> > > > > > > > > > > listen {
> > > > > > > > > > > isakmp 5.6.7.8   ;
> > > > > > > > > > > 
> > > > > > > > > > >  strict_address ;
> > > > > > > > > > >  }
> > > > > > > > > > > 
> > > > > > > > > > > remote 1.2.3.4 {
> > > > > > > > > > > 
> > > > > > > > > > >  exchange_mode main,base ;
> > > > > > > > > > > 
> > > > > > > > > > > lifetime time 12 hour ;
> > > > > > > > > > > 
> > > > > > > > > > >  proposal {
> > > > > > > > > > >  
> > > > > > > > > > >   encryption_algorithm 3des ;
> > > > > > > > > > >  
> > > > > > > > > > >  hash_algorithm md5 ;
> > > > > > > > > > >  authentication_method pre_shared_key ;
> > > > > > > > > > > 
> > > > > > > > > > > dh_group 2 ;
> > > > > > > > > > > 
> > > > > > > > > > >   }
> > > > > > > > > > >  
> > > > > > > > > > >  }
> > > > > > > > > > > 
> > > > > > > > > > > sainfo anonymous {
> > > > > > > > > > > 
> > > > > > > > > > > pfs_group 2 ;
> > > > > > > > > > > lifetime time 12 hour;
> > > > > > > > > > > 
> > > > > > > > > > >  encryption_algorithm 3des ;
> > > > > > > > > > > 
> > > > > > > > > > > authentication_algorithm hmac_md5 ;
> > > > > > > > > > > compression_algorithm deflate ;
> > > > > > > > > > > 
> > > > > > > > > > > }
> > > > > > > > > > > 
> > > > > > > > > > > # cat /etc/setkey.conf
> > > > > > > > > > > #!/sbin/setkey -f
> > > > > > > > > > > #flush SAD and SPD
> > > > > > > > > > > 
> > > > > > > > > > > flush;
> > > > > > > > > > > spdflush;
> > > > > > > > > > > 
> > > > > > > > > > > #create polices from racoon
> > > > > > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec
> > > > > > > > > > > esp/tunnel/5.6.7.8  -1.2.3.4/require;
> > > > > > > > > > 
> > > > > > > > > > Same as I commented above.
> > > > > > > > > > 
> > > > > > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec
> > > > > > > > > > > esp/tunnel/1.2.3.4-5.6.7.8  /require;
> > > > > > > > > > 
> > > > > > > > > > Same as I commented above.
> > > > > > > > > > 
> > > > > > > > > > > # cat /etc/psk.txt
> > > > > > > > > > > #IPv4 Address
> > > > > > > > > > > 1.2.3.4 123456789
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > Router A Lan
> > > > > > > > > > > 
> > > > > > > > > > >                                   Router B Lan
> > > > > > 
> > > > > > 192.168.1.0/24
> > > > > > 
> > > > > > > > > > > 192.168.8.0/24
> > > > > > > > > > > Gateway:
> > > > > > > > > > > 192.168.1.254
> > > > > > > > > > > Gateway:192.168.8.254
> > > > > > > > > > > 
> > > > > > > > > > >       |_|_|_|______*Router A
> > > > 
> > > > 1..2.3.4>>>>>internet<<<<<5.6.7.8
> > > > 
> > > > > > > > > > >       |Router B*
> > > > > > > > > > > 
> > > > > > > > > > > ______|_|_|_|
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > I can ping 192.168.1.254 gateway from 192.168.8.100 
> > > > > > > > > > > and
> > > > > > 
> > > > > > similarly
> > > > > > 
> > > > > > > > from
> > > > > > > > 
> > > > > > > > > > > other side LAN network PC.
> > > > > > > > > > > 
> > > > > > > > > > > I can ping 192.168.1.100 from 192.168.8.254 OK and
> > > > > > > > > > > similarly from
> > > > > > > > 
> > > > > > > > other
> > > > > > > > 
> > > > > > > > > > > side.
> > > > > > > > > > > 
> > > > > > > > > > > I can open router management server web page  from LAN
> > > > > > > > > > > PC at
> > > > > > 
> > > > > > other
> > > > > > 
> > > > > > > > LAN
> > > > > > > > 
> > > > > > > > > > > network.
> > > > > > > > > > > 
> > > > > > > > > > > But I can not ping 192.168.1.100 from 192.168.8.100 and
> > > > 
> > > > reverse
> > > > 
> > > > > > > > > > > way. only LAN gateways are reachable.
> > > > > > > > > > 
> > > > > > > > > > This statement contradicts the previous regarding what
> > > > > > > > > > you can ping and what
> > > > > > > > > > not.  I assume that you cannot ping 192.168.8.100 from
> > > > > > 
> > > > > > 192.168.1.100?
> > > > > > 
> > > > > > > > > > > where as whole LAN should be reachable from other LAN.
> > > > > > > > > > > 
> > > > > > > > > > > am I missing some setting ?
> > > > > > > > > > 
> > > > > > > > > > Check that Router B has been set up to allow ip
> > > > > > > > > > forwarding;
> > > > 
> > > > e.g.
> > > > 
> > > > > > > > > > sysclt -a | grep eth0.forwarding
> > > > > > > > > > 
> > > > > > > > > > net.ipv4.conf.eth0.forwarding = 1
> > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > > also check that the firewall on Router B is similarly
> > 
> > allowed
> > 
> > > > to
> > > > 
> > > > > > > > forward
> > > > > > > > 
> > > > > > > > > > packets.
> > > > > > > > > > 
> > > > > > > > > > If not adjust accordingly.
> > > > > > > > > > 
> > > > > > > > > > --
> > > > > > > > > > Regards,
> > > > > > > > > > Mick
> > > > > > > > 
> > > > > > > > --
> > > > > > > > Regards,
> > > > > > > > Mick
> > > > > > 
> > > > > > --
> > > > > > Regards,
> > > > > > Mick
> > > > 
> > > > --
> > > > Regards,
> > > > Mick
> > 
> > --
> > Regards,
> > Mick

-- 
Regards,
Mick