Re: linux-ipsec: privately-numbered subnets behind linux-ipsec gateways

> > S======G------M........N-------H======T
> >1. [...] Test that machines in S can ping machines in T (not just that

Unfortunately true. The trouble is that it's *really* easy for people to misconfigure routing, etc., in such a way that they can't get packets from S to T at all... and then they blame IPSEC for it. Hence the very strong recommendation to debug the basic network setup first.

> So the question arises: can the freeswan system handle this?

Yes, definitely. But debugging it is considerably harder than the case where the networking can be tested first, because there are so many more things that can go wrong on the first attempt.

> I am telling
> it enough routing information in /etc/ipsec-auto that it *ought* to be able
> to route the encapsulated traffic. When G and H are directly connected the
> tunnel works fine. But when G and H have to talk via the cloud, I can't
> get it to come close to working, and I suspect it is misrouting the setup
> packets...

A subtle point: G and H should be able to talk to each other before the activation of IPSEC. That is, they should have routes for each other. Pluto doesn't set up its own routing until it is setting up connections, as I recall, and it can't do that if it can't talk to the other Pluto.

(The existence of such routes is, of course, automatically guaranteed by good old step 1. More generally, even if you can't get packets from S to T before checking out IPSEC, you certainly should verify that you can get them from G to H.)

>...Specifically, tcpdump doesn't see any IP packets at all coming
>out of G during the time when G says it is doing things...

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Careful here -- are you running tcpdump on G, or on a separate machine that's listening to the G-M wire? Unfortunately, it *can* make a difference.

> Suggestion: It would be nice to have documentation and testing tools that
> can handle the case of privately-numbered subnets behind tunnels.

The docs definitely need attention in this area. I don't know how much we can do on the testing front, but we'll look at it. Thanks for pointing this out.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)