netdev
[Top] [All Lists]

Re: Problem with IPSEC tunnel mode

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: Problem with IPSEC tunnel mode
From: Wolfgang Walter <wolfgang.walter@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Apr 2005 16:40:16 +0200
Cc: netdev@xxxxxxxxxxx
In-reply-to: <E1DObFc-0000je-00@gondolin.me.apana.org.au>
Organization: Studentenwerk München
References: <E1DObFc-0000je-00@gondolin.me.apana.org.au>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: KMail/1.7.2
Am Donnerstag, 21. April 2005 14:57 schrieb Herbert Xu:
> Wolfgang Walter <wolfgang.walter@xxxxxxxxxxxxxxxxxxxx> wrote:
> > 5. then it disappears (it is NOT dropped by iptables)
> >   especially it is not seen in FORWARD (mangle-table).
> >
> > The route to E on C is a host route via 10.148.15.10.
>
> Please show us the output of "ip ru" and "ip ro".
>

ip ru

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

> > src 10.148.4.0/28 dst 10.0.25.210/32
> >        dir in priority 2084
> >        tmpl    src 192.168.9.237 dst 192.168.77.161
> >                proto esp spi 0x00000000 reqid 16465 mode tunnel
> >
> > src 10.148.4.0/28 dst 10.0.25.210/32
> >        dir out priority 0
> >
> > src 10.148.4.0/28 dst 10.0.25.210/32
> >        dir fwd priority 2084
> >        tmpl    src 192.168.9.237 dst 192.168.77.161
> >                proto esp spi 0x00000000 reqid 16465 mode tunnel
>
> Please attach the complete output of "ip x p".

Is attached.

>
> > Interestingly, the original scenario works fine when we use kernel
> > 2.6.7-rc1 instead of 2.6.11.7 and setkey from ipsec-tools 0.3.3. In this
> > case there are
>
> What if you use the new ipsec-tools against the old kernel?

I can try that but can do that only friday evening. Do you expect any 
difference?

We used ip x p to look at the rules generatet with setkey on that old system. 
Actually, setkey could not display these policies (too many rules). The 
output of ip x p is identical to the above, only no fwd rule at all and all 
rules have the same priority (the order is same, though).

>
> Cheers,

Thanks,

-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
Leopoldstraße 15
80802 München

Attachment: 01_mail_ro
Description: Text document

Attachment: 01_mail_spd
Description: Text document

<Prev in Thread] Current Thread [Next in Thread>