[Cialug] IPSec VPN not passing traffic

[Zachary Kotlarek]

On Sep 7, 2010, at 12:34 PM, Jonathan C. Bailey wrote:

> From what I understand, IPSec on linux doesn't have any sort of "pseudo-interface" to pass traffic on (I'm used to OpenVPN myself..).



That's correct if you're using NEYKEY. If you're using KLIPS there's an ipsec0 interface. The two are interoperable between systems but on any given host you can only use one or the other; NETKEY is newer and more flexible, though sometimes more difficult to use since it lives outside the normal routing systems.

If you've got a /proc/net/ipsec_version file you're using KLIPS. If you've got a /proc/net/pfkey or an af_key module loaded you're using NETKEY.


--

If you're using KLIPS you need regular routes to push traffic into the tunnel device. You can route anything via the tunnel using the routing tables, though only traffic that actually matches the tunnel parameters will actually be transmitted.

If you're using NETKEY the XFRM system is used to select packets for encryption. You can check the current list of transforms with:
	ip xfrm state

That should print out entries that look something like this:
	src 74.82.202.105 dst 67.224.78.49
		proto esp spi 0xa8724de reqid 16401 mode tunnel
		replay-window 32 
		auth hmac(sha1) 0x59403421a277f5eafbf974ade68b4c117fa5a05
		enc cbc(aes) 0x80ec40741557699e9cbab5ce264b3ab
		sel src 0.0.0.0/0 dst 0.0.0.0/0
And you should have one such entry for leg of each network segment that's configured for tunneling.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20100907/5a1e3762/attachment.bin