[Cialug] IPSec VPN not passing traffic

Jonathan C. Bailey jbailey at co.marshall.ia.us
Tue Sep 7 17:32:55 CDT 2010 

Ok.. I confirmed it's NETKEY in this case (on Ubuntu 10.04). ip xfrm state shows each side of the connection (client->server and server->client).

I did some more reading on NETKEY, and it seems that it's supposed to automagically do the routing, but nothing I find seems very clear on this...

-Jon


----- Original Message -----
From: "Zachary Kotlarek" <zach at kotlarek.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Tuesday, September 7, 2010 2:56:43 PM
Subject: Re: [Cialug] IPSec VPN not passing traffic


On Sep 7, 2010, at 12:34 PM, Jonathan C. Bailey wrote:

> From what I understand, IPSec on linux doesn't have any sort of "pseudo-interface" to pass traffic on (I'm used to OpenVPN myself..).



That's correct if you're using NEYKEY. If you're using KLIPS there's an ipsec0 interface. The two are interoperable between systems but on any given host you can only use one or the other; NETKEY is newer and more flexible, though sometimes more difficult to use since it lives outside the normal routing systems.

If you've got a /proc/net/ipsec_version file you're using KLIPS. If you've got a /proc/net/pfkey or an af_key module loaded you're using NETKEY.


--

If you're using KLIPS you need regular routes to push traffic into the tunnel device. You can route anything via the tunnel using the routing tables, though only traffic that actually matches the tunnel parameters will actually be transmitted.

If you're using NETKEY the XFRM system is used to select packets for encryption. You can check the current list of transforms with:
	ip xfrm state

That should print out entries that look something like this:
	src 74.82.202.105 dst 67.224.78.49
		proto esp spi 0xa8724de reqid 16401 mode tunnel
		replay-window 32 
		auth hmac(sha1) 0x59403421a277f5eafbf974ade68b4c117fa5a05
		enc cbc(aes) 0x80ec40741557699e9cbab5ce264b3ab
		sel src 0.0.0.0/0 dst 0.0.0.0/0
And you should have one such entry for leg of each network segment that's configured for tunneling.

	Zach


_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list