netdev
[Top] [All Lists]

Re: Problem with IPSEC tunnel mode

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: Problem with IPSEC tunnel mode
From: Wolfgang Walter <wolfgang.walter@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 22 Apr 2005 02:40:31 +0200
Cc: netdev@xxxxxxxxxxx
In-reply-to: <20050421214618.GA29991@xxxxxxxxxxxxxxxxxxx>
Organization: Studentenwerk München
References: <E1DObFc-0000je-00@xxxxxxxxxxxxxxxxxxxxxxxx> <200504211640.16742.wolfgang.walter@xxxxxxxxxxxxxxxxxxxx> <20050421214618.GA29991@xxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: KMail/1.7.2
Am Donnerstag, 21. April 2005 23:46 schrieben Sie:
> On Thu, Apr 21, 2005 at 04:40:16PM +0200, Wolfgang Walter wrote:
> > 10.148.0.0/23 dev eth2.1001  scope link  src 10.148.0.1
> > 10.148.32.0/20 via 10.148.15.30 dev eth0.1014  src 10.148.15.29
> > default via 192.168.77.162 dev eth3  src 192.168.77.161
>
> Although you probably have rp_filter turned, but please check
>
> cat /proc/sys/net/ipv4/conf/eth3/rp_filter
>
> anway.
>
> > src 10.148.0.0/23 dst 10.0.25.210/32
> >  dir fwd priority 0
>
> There you go.  This policy trumps your other policy.  This one
> says that forwarded traffic matching it must carry no tunnel
> IPsec transforms.  Therefore all IPsec packets matching it will
> be dropped.

I don't understand that. 10.148.0.0/23 is 10.148.0.0-10.148.1.255, isn't it? 
But 10.148.4.0/28 (is 10.148.4.0-10.148.4.15) is not within it.

>
> > src 10.148.4.0/28 dst 10.0.25.210/32
> >  dir fwd priority 2084
> >  tmpl src 192.168.9.237 dst 192.168.77.161
> >   proto esp spi 0x00000000 reqid 16465 mode tunnel
>
> The reason it worked with the old setkey and 2.6.7* is that all
> forwarded traffic would've been allowed, regardless of whether
> they matched the IPsec policy or not.
>
> Cheers,

Greetings,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
Leopoldstraße 15
80802 München


<Prev in Thread] Current Thread [Next in Thread>