Re: [Ipsec-tools-users] Ipsec-Tunnel: incoming packet is not forwarded
Brought to you by:
mit_warlord,
netbsd
From: Süssner M. <mi...@su...> - 2013-10-19 08:00:47
|
thanks first for the info. I am currently not using the racoon tool since I am still working on the first example of the KAME-Tools ipsec tutorial. http://www.ipsec-howto.org/x304.html - section tunnel mode Using tcpdump I can see that the incoming encrypted packet is decrypted and re-queued into the internal eth1-ip-stack. However the packet is not forwarded. You have been mentioning the forward policy and I assume that you refer to the SPD configuration. Since 0.6.8 automatically forwards an incoming packet to another port, there is no need to specify fwd. However, I have seen a SPD configuration in another example where the forward policy is explicitly listed. Here is my SPD output: 172.16.2.0/24[any] 172.16.1.0/24[any] any in prio def ipsec esp/tunnel/192.168.2.1-192.168.1.1/require created: Oct 19 07:44:39 2013 lastused: lifetime: 0(s) validtime: 0(s) spid=8 seq=1 pid=1044 refcnt=1 172.16.1.0/24[any] 172.16.2.0/24[any] any out prio def ipsec esp/tunnel/192.168.1.1-192.168.2.1/require created: Oct 19 07:44:39 2013 lastused: lifetime: 0(s) validtime: 0(s) spid=9 seq=0 pid=1044 refcnt=1 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.16.2.0 gateway2.local 255.255.255.240 UG 0 0 0 eth1 localnet * 255.255.255.240 U 0 0 0 eth0 192.168.0.0 * 255.255.252.0 U 0 0 0 eth1 loopback * 255.0.0.0 U 0 0 0 lo root@gateway1:~# cat /proc/net/ipv4/ip_f sys/net/ipv4/ip_forward 1 root@gateway1:~# To clarify my testing environment: OpenSSL: 0.9.8x setkey: 0.6.7 Michael Am 18.10.2013 um 20:37 schrieb Mick <mic...@gm...>: > On Friday 18 Oct 2013 14:33:09 Süssner Michael wrote: >> Environment: Linux 2.6.15.4 >> >> I have configured an ipsec tunnel and from analysis of the tcpdump, I have >> learned that the decapsulated IP packet is not forwarded to the outgoing >> ethernet port. >> >> ip_forwarding is on and it works fine without ipsec. >> >> I have not installed netfilter or iptables so I am not sure if this may be >> the root of my troubles. >> >> How can I trace to learn where the packet is dropped? >> >> Michael > > > If setkey sets up the right policies, then you may also need to set up a route > manually (e.g. with the ip command) in case the default up/down scripts do not > this automatically for you when the tunnel is established. > > -- > Regards, > Mick > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk_______________________________________________ > Ipsec-tools-users mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users |