* Linux kernel IPSec processing when acting as gateway
@ 2011-11-17 16:53 Prashant Batra
2011-11-18 20:37 ` Andrew Beverley
0 siblings, 1 reply; 2+ messages in thread
From: Prashant Batra @ 2011-11-17 16:53 UTC (permalink / raw)
To: netfilter
Hello,
One basic question related to IPSec processing on gateway.
I have established IPSec tunnels between two gateway (gw1 and gw2). On
gw1 I am using Linux kernel IPSec (a normal linux server which will
act as gateway).
The SPD and SAD database on gw1 is-
gw1#ip xfrm policy
src 172.16.80.1/32 dst 0.0.0.0/0
dir fwd priority 1024
tmpl src 198.168.68.2 dst 192.168.101.101
proto esp spi 0x00000000 reqid 0 mode tunnel
src 0.0.0.0/0 dst 172.16.80.1/32
dir fwd priority 1024
tmpl src 192.168.101.101 dst 198.168.68.2
proto esp spi 0x00000000 reqid 0 mode tunnel
src 172.16.80.1/32 dst 0.0.0.0/0
dir out priority 1024
tmpl src 198.168.68.2 dst 192.168.101.101
proto esp spi 0x00000000 reqid 0 mode tunnel
src 0.0.0.0/0 dst 172.16.80.1/32
dir in priority 1024
tmpl src 192.168.101.101 dst 198.168.68.2
proto esp spi 0x00000000 reqid 0 mode tunnel
gw1#ip xfrm state
src 198.168.68.2 dst 192.168.101.101
proto esp spi 0x010000b8 reqid 0 mode tunnel
replay-window 32
auth hmac(sha1) 0x00c530455c9b7a4f3ed3824220a4c05e8b5edf97
enc cbc(aes) 0x03d8c8ac752c2a9c4745f1a25a9f7da9
sel src 172.16.80.1/32 dst 0.0.0.0/0
src 192.168.101.101 dst 198.168.68.2
proto esp spi 0x00007aa1 reqid 0 mode tunnel
replay-window 32
auth hmac(sha1) 0x8d05b76456c9a52b51b6193f01c48a2fc27ada48
enc cbc(aes) 0x75d062288ccb7355b0b8358f83323dd9
sel src 0.0.0.0/0 dst 172.16.80.1/32
Now I am trying to send data from host1(behind gw1) 172.16.80.1 to
host2 172.16.60.1 which is behind gw2. But gw1 IPSec is not
processing the packets-
host1#ping 172.16.60.1 -I 172.16.80.1
gw1#tcpdump –I eth1
13:58:03.648171 IP 172.16.80.1 > 172.16.60.1: icmp 64: echo request
seq 1 – plain icmp packets
13:58:04.647301 IP 172.16.80.1 > 172.16.60.1: icmp 64: echo request seq 2
13:58:05.647116 IP 172.16.80.1 > 172.16.60.1: icmp 64: echo request seq 3
Please correct me if I my understanding is wrong.
Also, if the question is not appropriate for this list, please point
me to the correct mailing list for Linux kernel IPSec.
Thanks,
Prahsant
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Linux kernel IPSec processing when acting as gateway
2011-11-17 16:53 Linux kernel IPSec processing when acting as gateway Prashant Batra
@ 2011-11-18 20:37 ` Andrew Beverley
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Beverley @ 2011-11-18 20:37 UTC (permalink / raw)
To: Prashant Batra; +Cc: netfilter
On Thu, 2011-11-17 at 22:23 +0530, Prashant Batra wrote:
> Also, if the question is not appropriate for this list, please point
> me to the correct mailing list for Linux kernel IPSec.
You could try the net-dev mailing list.
Andy
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-11-18 20:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-17 16:53 Linux kernel IPSec processing when acting as gateway Prashant Batra
2011-11-18 20:37 ` Andrew Beverley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).