Hosting Provided By

[Users] FIXED!!! linux ipsec transport mode + ipip tunnel...

From: James Harper <JamesH(at)sbss.com.au>
Date: Fri Oct 10 2003 - 09:26:54 EDT

the ipsec.conf config:

conn gisborne

        type=transport
        left=%defaultroute
        right=a.b.c.d
        keyexchange=ike
        keylife=3600s
        authby=secret
        auto=start

the ipip tunnel config (from /etc/network/interfaces):

auto gisborne
iface gisborne inet static
  address 10.20.1.205
  netmask 255.255.255.255
  mtu 1000
  pre-up ip tun add $IFACE mode ipip remote a.b.c.d || true   up ip route add 10.25.1.0/24 dev $IFACE || true   post-down ip tun del $IFACE || true

with ipsec off, the tunnel worked fine. with ipsec on, i could see the packets with this iptables rule: -A INPUT -i gisborne -j LOG
but the applications just won't see them.

anyway, this fixed it:

echo "1" >/proc/sys/net/ipv4/conf/gisborne/disable_policy

i'm guessing it's a bug.

Do you need help?

James

-----Original Message-----

From:	James Harper
Sent:	Fri 10/10/2003 13:13
To:	Sam Sgro; users@mj2.freeswan.org
Cc:	
Subject:	Re: [Users] linux ipsec transport mode + ipip tunnel...

Thanks for the reply. I'll forward the configs as soon as i can get to them and sanitize them. Ipsec is transport mode and is definitely working. everything is working except that the linux pc can't 'see' the packets as they come out of the tunnel, even though it will forward them fine to other hosts.

james

On Thursday 09 October 2003 09:39, James Harper wrote:
> Unfortunately as soon as I enable ipsec, suddenly B (the linux server)

You need to post configs. You've "enabled IPsec"; how have you actually configured the connection?

> The kernel is debian 'testing' ('sarge') 2.4.21-5 or 2.4.22-1. Both have

As an aside, FreeS/WAN on the linux kernel IPsec is new and not well tested. If this is a production environment, you may want to go back to a KLIPS based kernel for something known to work. As a side benefit, KLIPS uses virtual interfaces, which would negate the necessity of using IPIP.

However, code doesn't get tested if people don't actually run it, so hang in there. ;)

-- Sam Sgro sam@freeswan.org

Do you need more help?

-----BEGIN PGP SIGNATURE-----

Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBP4WvZ0OSC4btEQUtAQE6YAP+Itdk/GkJJgLhjEokMD3qSTMYo8mw/sss pPTiA3QFqcXlfhDYepBT5AdPd9z3oEhKExlg6e0+5ewRPLYQajB9tdr/EBWkwOf/ ILwWgh/b4gQXCMG7QA+Q3Daramr5R72BvaXmR+xjuBZ4OUzTXrO2tKaLmuDYUqzC yzGbPGUHtR4=
=chDa
-----END PGP SIGNATURE-----

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Fri Oct 10 10:03:39 2003

This message: [ Message body ]
Next message: Paul Wouters: "Re: [Users] Need help about configuring OE"
Previous message: Ralf Spenneberg: "Re: [Users] [LONG] Freeswan - IP&MAC theft"
In reply to James Harper: "Re: [Users] linux ipsec transport mode + ipip tunnel..."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:05 EDT