[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-newbie
Subject: Linux kernel IPSec processing when acting as gateway
From: Prashant Batra <prashant0100 () gmail ! com>
Date: 2011-11-17 15:44:24
Message-ID: CAG+XuE7jx6KiK66RSHqNK3ChCGqdSVhSuM9fL6YtgzZrtx89qg () mail ! gmail ! com
[Download RAW message or body]
Hello,
One basic question related to IPSec processing on gateway.
I have established IPSec tunnels between two gateway (gw1 and gw2). On
gw1 I am using Linux kernel IPSec (a normal linux server which will
act as gateway).
The SPD and SAD database on gw1 is-
gw1#ip xfrm policy
src 172.16.80.1/32 dst 0.0.0.0/0
dir fwd priority 1024
tmpl src 198.168.68.2 dst 192.168.101.101
proto esp spi 0x00000000 reqid 0 mode tunnel
src 0.0.0.0/0 dst 172.16.80.1/32
dir fwd priority 1024
tmpl src 192.168.101.101 dst 198.168.68.2
proto esp spi 0x00000000 reqid 0 mode tunnel
src 172.16.80.1/32 dst 0.0.0.0/0
dir out priority 1024
tmpl src 198.168.68.2 dst 192.168.101.101
proto esp spi 0x00000000 reqid 0 mode tunnel
src 0.0.0.0/0 dst 172.16.80.1/32
dir in priority 1024
tmpl src 192.168.101.101 dst 198.168.68.2
proto esp spi 0x00000000 reqid 0 mode tunnel
gw1#ip xfrm state
src 198.168.68.2 dst 192.168.101.101
proto esp spi 0x010000b8 reqid 0 mode tunnel
replay-window 32
auth hmac(sha1) 0x00c530455c9b7a4f3ed3824220a4c05e8b5edf97
enc cbc(aes) 0x03d8c8ac752c2a9c4745f1a25a9f7da9
sel src 172.16.80.1/32 dst 0.0.0.0/0
src 192.168.101.101 dst 198.168.68.2
proto esp spi 0x00007aa1 reqid 0 mode tunnel
replay-window 32
auth hmac(sha1) 0x8d05b76456c9a52b51b6193f01c48a2fc27ada48
enc cbc(aes) 0x75d062288ccb7355b0b8358f83323dd9
sel src 0.0.0.0/0 dst 172.16.80.1/32
Now I am trying to send data from host1(behind gw1) 172.16.80.1 to
host2 172.16.60.1 which is behind gw2. But gw1 IPSec is not
processing the packets-
host1#ping 172.16.60.1 -I 172.16.80.1
gw1#tcpdump –I eth1
13:58:03.648171 IP 172.16.80.1 > 172.16.60.1: icmp 64: echo request
seq 1 – plain icmp packets
13:58:04.647301 IP 172.16.80.1 > 172.16.60.1: icmp 64: echo request seq 2
13:58:05.647116 IP 172.16.80.1 > 172.16.60.1: icmp 64: echo request seq 3
Please correct me if I my understanding is wrong.
Also, if the question is not appropriate for this list, please point
me to the correct mailing list for Linux kernel IPSec.
Thanks,
Prahsant
--
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic