'Linux kernel IPSec processing when acting as gateway'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-newbie
Subject:    Linux kernel IPSec processing when acting as gateway
From:       Prashant Batra <prashant0100 () gmail ! com>
Date:       2011-11-17 15:44:24
Message-ID: CAG+XuE7jx6KiK66RSHqNK3ChCGqdSVhSuM9fL6YtgzZrtx89qg () mail ! gmail ! com
[Download RAW message or body]

Hello,

One basic question related to IPSec processing on gateway.
I have established IPSec tunnels between two gateway (gw1 and gw2). On
gw1 I am using Linux kernel IPSec (a normal linux server which will
act as gateway).
The SPD and SAD database on gw1 is-

gw1#ip xfrm policy
src 172.16.80.1/32 dst 0.0.0.0/0
        dir fwd priority 1024
        tmpl    src 198.168.68.2 dst 192.168.101.101
                proto esp spi 0x00000000 reqid 0 mode tunnel

src 0.0.0.0/0 dst 172.16.80.1/32
        dir fwd priority 1024
        tmpl    src 192.168.101.101 dst 198.168.68.2
                proto esp spi 0x00000000 reqid 0 mode tunnel

src 172.16.80.1/32 dst 0.0.0.0/0
        dir out priority 1024
        tmpl    src 198.168.68.2 dst 192.168.101.101
                proto esp spi 0x00000000 reqid 0 mode tunnel

src 0.0.0.0/0 dst 172.16.80.1/32
        dir in priority 1024
        tmpl    src 192.168.101.101 dst 198.168.68.2
                proto esp spi 0x00000000 reqid 0 mode tunnel

gw1#ip xfrm state
src 198.168.68.2 dst 192.168.101.101
        proto esp spi 0x010000b8 reqid 0 mode tunnel
        replay-window 32
        auth hmac(sha1) 0x00c530455c9b7a4f3ed3824220a4c05e8b5edf97
        enc cbc(aes) 0x03d8c8ac752c2a9c4745f1a25a9f7da9
        sel src 172.16.80.1/32 dst 0.0.0.0/0
src 192.168.101.101 dst 198.168.68.2
        proto esp spi 0x00007aa1 reqid 0 mode tunnel
        replay-window 32
        auth hmac(sha1) 0x8d05b76456c9a52b51b6193f01c48a2fc27ada48
        enc cbc(aes) 0x75d062288ccb7355b0b8358f83323dd9
        sel src 0.0.0.0/0 dst 172.16.80.1/32

Now I am trying to send data from host1(behind gw1) 172.16.80.1 to
host2 172.16.60.1 which is behind gw2.  But gw1 IPSec is not
processing the packets-

host1#ping 172.16.60.1 -I 172.16.80.1

gw1#tcpdump –I eth1
13:58:03.648171 IP 172.16.80.1 > 172.16.60.1: icmp 64: echo request
seq 1 – plain icmp packets
13:58:04.647301 IP 172.16.80.1 > 172.16.60.1: icmp 64: echo request seq 2
13:58:05.647116 IP 172.16.80.1 > 172.16.60.1: icmp 64: echo request seq 3

Please correct me if I my understanding is wrong.

Also, if the question is not appropriate for this list, please point
me to the correct mailing list for Linux kernel IPSec.

Thanks,
Prahsant
--
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic