Discussion:
[Openswan Users] Openswan: ip xfrm policy shows different data than /etc/ipsec.conf
Ian Brown
2008-01-31 10:09:20 UTC
Permalink
Hello,

I am running on Fedora Core 8 with openswan-2.4.9-2
(from openswan-2.4.9-2.fc8 rpm).

I have two connections defined in /etc/ipsec.conf:
conn linux-to-linux-1
left=10.0.0.1
leftrsasigkey=0sAQNwbr3H8CuBBm+2r12iYh3n6i...
right=10.1.0.2
rightrsasigkey=0sAQNwbr3H8CuBBm+2r12iYh3n6iUE...
type=tunnel
auto=start
auth=esp

conn linux-to-linux-2
left=10.0.0.1
leftrsasigkey=0sAQNwbr3H8CuBBm+2r12iYh3n6iUEGbU5rP...
right=10.1.0.3
rightrsasigkey=0sAQNwbr3H8CuBBm+2r12iYh3n6iUEGbU5rPXS...
type=tunnel
auto=start
auth=ah

As you can see, the only different besides the connection name is the auth type
(esp in the first and ah in the second) and the ip of the right side.

After I start the ipsec service, I run:

ip xfrm policy show
and I get:

src 10.0.0.1/32 dst 10.1.0.3/32
dir out priority 2080 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src 10.0.0.1/32 dst 10.1.0.2/32
dir out priority 2080 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src ::/0 dst ::/0
dir in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0 ptype main
...
...
...

My question is : why do we see "proto esp" in both policies, whereas
I have "auth=ah" in the second ?
Why do wee see "mode transport" in both "tmpl" (template) lines of these
two policies, whereas I have "type=tunnel" in both connections in this
/etc/ipsec.conf
file ?
Regards,
Ian
Witold Golab
2008-01-31 10:29:54 UTC
Permalink
Post by Ian Brown
Hello,
...
...
...
Why do wee see "mode transport" in both "tmpl" (template) lines of these
two policies, whereas I have "type=tunnel" in both connections in this
/etc/ipsec.conf
file ?
I might be wrong but if you have host to host connection - it'll be always in
transport mode (tunnel mode is for VPN through WAN).


Best Regards
Witold Golab
Ian Brown
2008-01-31 12:26:15 UTC
Permalink
Witold ,
Yes, as a rule you are right.
Host to host connection is in transport mode.

Any ideas if I can simulate tunnel mode on a local network somehow ?
(So that two machines will connect in tunnel mode with IPsec)

I can change the ipsec.conf and set IP addresses on different subnets, etc.

Regards,
Ian
Post by Witold Golab
Post by Ian Brown
Hello,
...
...
...
Why do wee see "mode transport" in both "tmpl" (template) lines of these
two policies, whereas I have "type=tunnel" in both connections in this
/etc/ipsec.conf
file ?
I might be wrong but if you have host to host connection - it'll be always in
transport mode (tunnel mode is for VPN through WAN).
Best Regards
Witold Golab
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.c
Ian Brown
2008-01-31 13:09:59 UTC
Permalink
Witold ,
Yes, as a rule you are right.
Host to host connection is in transport mode.

Any ideas if I can simulate tunnel mode on a local network somehow ?
(So that two machines will connect in tunnel mode with IPsec)

I can change the ipsec.conf and set IP addresses on different subnets, etc.

Regards,
Ian
Post by Witold Golab
Post by Ian Brown
Hello,
...
...
...
Why do wee see "mode transport" in both "tmpl" (template) lines of these
two policies, whereas I have "type=tunnel" in both connections in this
/etc/ipsec.conf
file ?
I might be wrong but if you have host to host connection - it'll be always in
transport mode (tunnel mode is for VPN through WAN).
Best Regards
Witold Golab
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp
Ian Brown
2008-02-03 12:28:25 UTC
Permalink
Hello,

Thanks !

I tried it, unforrunately without success.

I had set tun to 172.16.0.1 on one machine.
I had set tun to 172.17.0.1 on the second machine.

I get on one machine:
Feb 3 14:21:24 machine1 ipsec_setup: ...Openswan IPsec started
Feb 3 14:21:24 machine1 ipsec__plutorun: 104 "linux-to-linux-1" #1:
STATE_MAIN_I1: initiate
Feb 3 14:21:24 machine1 ipsec__plutorun: ...could not start conn
"linux-to-linux-1"

and on the second
Feb 3 14:19:44 machine2 ipsec__plutorun: 104 "linux-to-linux-1" #1:
STATE_MAIN_I1: initiate
Feb 3 14:19:44 machine2 ipsec__plutorun: ...could not start conn
"linux-to-linux-1"

The ipsec.conf I have on both machines is:

config setup
nat_traversal=yes

include /etc/ipsec.d/*.conf


conn linux-to-linux-1
leftrsasigkey=0sAQNwbr3H8CuBBm+2r12iY...
rightrsasigkey=0sAQNwbr3H8CuBBm+2r12i...
type=tunnel
auto=start
auth=esp
left=172.16.0.1
right=172.17.0.1
leftsubnet=172.16.0.0/24
rightsubnet=172.17.0.0/24

And "service ipsec status" shows:
IPsec running - pluto pid: #pid
pluto pid
No tunnels up

- on both machine

ifconfig tun shows that the tun interfcae is up on both machines.

Any ideas what went wrong here ?

Regards,
Ian
Dnia czwartek 31 stycznia 2008, w temacie "Re: [Openswan Users] Openswan: ip
Post by Ian Brown
Witold ,
Yes, as a rule you are right.
Host to host connection is in transport mode.
Any ideas if I can simulate tunnel mode on a local network somehow ?
(So that two machines will connect in tunnel mode with IPsec)
Try add tuntap or gre or whatsever (virtual) interfaces on both sides
tun0 172.16.0.1/24
leftsubnet=172.16.0.0/24
righsubnet=172.17.0.0/24
tun0 172.17.0.1/24
leftsubnet=172.17.0.0/24
Paul Wouters
2008-02-03 18:00:48 UTC
Permalink
Post by Ian Brown
I tried it, unforrunately without success.
I had set tun to 172.16.0.1 on one machine.
I had set tun to 172.17.0.1 on the second machine.
Feb 3 14:21:24 machine1 ipsec_setup: ...Openswan IPsec started
STATE_MAIN_I1: initiate
Feb 3 14:21:24 machine1 ipsec__plutorun: ...could not start conn
"linux-to-linux-1"
and on the second
STATE_MAIN_I1: initiate
Feb 3 14:19:44 machine2 ipsec__plutorun: ...could not start conn
"linux-to-linux-1"
These are not the complete logs. Please look for more messages in your logfiles.

Paul

Paul Wouters
2008-01-31 11:14:14 UTC
Permalink
Post by Ian Brown
type=tunnel
auth=esp
type=tunnel
auth=ah
As you can see, the only different besides the connection name is the auth type
(esp in the first and ah in the second) and the ip of the right side.
ip xfrm policy show
src 10.0.0.1/32 dst 10.1.0.3/32
dir out priority 2080 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src 10.0.0.1/32 dst 10.1.0.2/32
dir out priority 2080 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src ::/0 dst ::/0
dir in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0 ptype main
...
...
...
My question is : why do we see "proto esp" in both policies, whereas
I have "auth=ah" in the second ?
Why do wee see "mode transport" in both "tmpl" (template) lines of these
two policies, whereas I have "type=tunnel" in both connections in this
/etc/ipsec.conf
file ?
I know the "transport" issue happened with earlier openswan's. Can you
try and build 2.4.11 (there is a spec file in packaging/fedora/ to build
rpms)

AH mode (as well as manual keying) are not very well tested or maintained,
because no one (including the developers) ever use these modes.

Paul
Loading...