[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openswan-users
Subject:    [Openswan Users] How is 'ip xfrm policy' generated
From:       Steve MacDougall <smacdougall () bluepay ! ca>
Date:       2016-08-03 14:59:38
Message-ID: CAJHtFgX_Pn+kE6h6sbrSfWm4Jb7dcSD95nCRJModpQbA7KDr_g () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


I recently had an issue with a tunnel that was working fine for months,
then suddenly traffic that should have gone over the tunnel was going to
the gateway instead.

I eventually traced the trouble to two xfrm policies:

One policy had 'action block' for the src, dst, and dport of the traffic I
was sending.

The other policy had 'proto tcp', instead of 'proto esp', for the src and
dst. The correct policies to send the traffic over the tunnel were also
present, but these two policies seemed to take precedence. Once I deleted
them the traffic went over the tunnel.

My question, is where did these policies suddenly come from. There was
nothing in '/etc/ipsec.d/policies/block', and as far as I know, nobody
would have gone in and manually created them.

--

Steve MacDougall

Sr. Systems/Network Administrator

647.258.3704 Direct

289.924.1086 Mobile

smacdougall@bluepay.ca
[image: BluePay, Inc.] <http://www.bluepay.com/>
[image: Twitter] <https://twitter.com/BluePay> [image: Linkedin]
<https://www.linkedin.com/company/bluepay-inc-> [image: Facebook]
<http://www.facebook.com/bluepayprocessing> [image: Google+]
<https://plus.google.com/+bluepay/posts> [image: YouTube]
<https://www.youtube.com/channel/UCIiHef9skKlAQUhejcFtUUg> [image: BluePay
Blog] <http://www.bluepay.com/blog>

[Attachment #5 (text/html)]

<div dir="ltr">I recently had an issue with a tunnel that was working fine for \
months, then suddenly traffic that should have gone over the tunnel was going to the \
gateway instead.<div><br></div><div>I eventually traced the trouble to two xfrm \
policies:</div><div><br></div><div>One policy had &#39;action block&#39; for the src, \
dst, and dport of the traffic I was sending.</div><div><br></div><div>The other \
policy had &#39;proto tcp&#39;, instead of &#39;proto esp&#39;, for the src and dst. \
The correct policies to send the traffic over the tunnel were also present, but these \
two policies seemed to take precedence. Once I deleted them the traffic went over the \
tunnel.</div><div><br></div><div>My question, is where did these policies suddenly \
come from. There was nothing in &#39;/etc/ipsec.d/policies/block&#39;, and as far as \
I know, nobody would have gone in and manually created them.  <br \
clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr">  
	
	


<p style="font-size:14px;font-family:Arial,sans-serif;color:rgb(0,85,150);font-weight:bold;padding-bottom:5px;margin:0px;line-height:18px">--</p><p \
style="font-size:14px;font-family:Arial,sans-serif;color:rgb(0,85,150);font-weight:bold;padding-bottom:5px;margin:0px;line-height:18px">Steve \
MacDougall<br></p><p \
style="font-size:12px;font-family:Arial,sans-serif;color:rgb(114,114,114);padding:0px;margin:0px;line-height:16px">Sr. \
Systems/Network Administrator</p><p \
style="font-size:12px;font-family:Arial,sans-serif;color:rgb(114,114,114);padding:0px;margin:0px;line-height:16px">647.258.3704 \
Direct</p><p style="font-size:12px;font-family:Arial,sans-serif;color:rgb(114,114,114);padding:0px;margin:0px;line-height:16px">289.924.1086 \
Mobile</p><p style="font-size:12px;font-family:Arial,sans-serif;color:rgb(0,85,150);padding:0px;margin:0px;line-height:16px"><a \
href="mailto:smacdougall@bluepay.ca" \
target="_blank">smacdougall@bluepay.ca</a></p><table cellpadding="0" cellspacing="0" \
border="0" style="color:rgb(0,0,0);font-family:&#39;Times New \
Roman&#39;;font-size:medium;margin:0px;padding:0px;line-height:16px"><tbody><tr><td><table \
cellpadding="0" cellspacing="0" border="0" \
style="margin:0px;padding:0px"><tbody><tr><td width="168" height="68"><a \
href="http://www.bluepay.com/" style="padding:0px;text-decoration:none;display:block" \
target="_blank"><img \
src="https://secure.bluepay.com/static/shpf/bpemailsig/bluepay.png" width="168" \
height="53" alt="BluePay, Inc." \
style="outline:none;display:block;border:none;margin:0px"></a></td></tr></tbody></table></td></tr><tr><td><table \
cellpadding="0" cellspacing="0" border="0" \
style="margin:0px;padding:0px;width:174px"><tbody><tr><td width="29"><a \
href="https://twitter.com/BluePay" \
style="padding:0px;text-decoration:none;display:block" target="_blank"><img \
src="https://secure.bluepay.com/static/shpf/bpemailsig/twitter.png" width="25" \
height="25" alt="Twitter" style="outline:none;display:block;border:none"></a></td><td \
width="29"><a href="https://www.linkedin.com/company/bluepay-inc-" \
style="padding:0px;text-decoration:none;display:block" target="_blank"><img \
src="https://secure.bluepay.com/static/shpf/bpemailsig/linkedin.png" width="25" \
height="25" alt="Linkedin" \
style="outline:none;display:block;border:none"></a></td><td width="29"><a \
href="http://www.facebook.com/bluepayprocessing" \
style="padding:0px;text-decoration:none;display:block" target="_blank"><img \
src="https://secure.bluepay.com/static/shpf/bpemailsig/facebook.png" width="25" \
height="25" alt="Facebook" \
style="outline:none;display:block;border:none"></a></td><td width="29"><a \
href="https://plus.google.com/+bluepay/posts" \
style="padding:0px;text-decoration:none;display:block" target="_blank"><img \
src="https://secure.bluepay.com/static/shpf/bpemailsig/googleplus.png" width="25" \
height="25" alt="Google+" style="outline:none;display:block;border:none"></a></td><td \
width="29"><a href="https://www.youtube.com/channel/UCIiHef9skKlAQUhejcFtUUg" \
style="padding:0px;text-decoration:none;display:block" target="_blank"><img \
src="https://secure.bluepay.com/static/shpf/bpemailsig/youtube.png" width="25" \
height="25" alt="YouTube" style="outline:none;display:block;border:none"></a></td><td \
width="29"><a href="http://www.bluepay.com/blog" \
style="padding:0px;text-decoration:none;display:block" target="_blank"><img \
src="https://secure.bluepay.com/static/shpf/bpemailsig/blog.png" width="25" \
height="25" alt="BluePay Blog" \
style="outline:none;display:block;border:none"></a></td></tr></tbody></table></td></tr></tbody></table><table \
cellpadding="0" cellspacing="0" border="0" \
style="color:rgb(0,0,0);font-family:&#39;Times New \
Roman&#39;;font-size:medium;margin:0px;padding:0px;line-height:16px"><tbody></tbody></table><p \
style="margin-bottom:0cm"><font face="Calibri"><span \
style="background-image:initial;background-repeat:initial"><span \
style="font-size:13.3333px"><br></span></span></font><span \
style="background-image:initial;background-repeat:initial"><br>  </span></p> <p \
style="margin-bottom:0cm"><br></p></div></div></div></div></div></div></div></div></div></div></div>
 </div></div>


[Attachment #6 (text/plain)]

_______________________________________________
Users@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic