#49 Uncrypt packet outgoing via wan interface

setkey
open
nobody
7
2010-12-03
2010-11-25
No

Hi all,

I have installed two linux gateway with ipsec-tools. when i launch ping from one network to other, the first one encrypt packet in esp (view with tcpdump), the second uncrypt the packet but send this one via eth0 who is my wan interface. Where should i specifie on wich interface unencrypt packet should go.

first gateway :
#!/usr/sbin/setkey -f
#
#Flush SAD and SPD
flush;
spdflush;

#Create policies for racoon
spdadd 172.16.84.0/24 172.16.74.0/24 any -P out ipsec esp/tunnel/[ip_wan1]-[ip_wan2]/require;
spdadd 172.16.74.0/24 172.16.84.0/24 any -P in ipsec esp/tunnel/{ip_wan2]-[ip_wan1]/require;

second gateway :
#!/usr/sbin/setkey -f
#
#Flush SAD and SPD
flush;
spdflush;

#Create policies for racoon
spdadd 172.16.74.0/24 172.16.84.0/24 any -P out ipsec esp/tunnel/[ip_wan2]-[ip_wan1]/require;
spdadd 172.16.84.0/24 172.16.74.0/24 any -P in ipsec esp/tunnel/[ip_wan1]-[ip_wan2]/require;

Discussion

  • Benoit LORAND

    Benoit LORAND - 2010-12-03
     
  • Benoit LORAND

    Benoit LORAND - 2010-12-03

    On the screen attach we can see the problem. May someone have already see that. I was in 2.6.33 kernel, i have updated to 2.6.36.1 but no change.

     
  • Benoit LORAND

    Benoit LORAND - 2010-12-03
    • milestone: --> setkey
    • priority: 5 --> 7
     
  • Benoit LORAND

    Benoit LORAND - 2010-12-03

    Notice i have changed my ip destination in the setkey like :

    ipsec2 :
    #!/usr/sbin/setkey -f
    #
    #Flush SAD and SPD
    flush;
    spdflush;

    #Create policies for racoon
    spdadd 172.16.74.0/24 172.16.75.0/24 any -P out ipsec
    esp/tunnel/10.0.0.1-10.0.0.2/require;

    spdadd 172.16.75.0/24 172.16.74.0/24 any -P in ipsec
    esp/tunnel/10.0.0.2-10.0.0.1/require;

    ipsec3:

    #!/usr/sbin/setkey -f
    #
    #Flush SAD and SPD
    flush;
    spdflush;

    #Create policies for racoon
    spdadd 172.16.75.0/24 172.16.74.0/24 any -P out ipsec
    esp/tunnel/10.0.0.2-10.0.0.1/require;

    spdadd 172.16.74.0/24 172.16.75.0/24 any -P in ipsec
    esp/tunnel/10.0.0.1-10.0.0.2/require;

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks