Home / server / Questions / 330039
In Process
cmouse
Asked: 2011-11-12 00:45:34 +0800 CST

Linux 2.6 IPSEC does not forward packets from LAN to VPN

  • 772

I have site to site VPN from 10.132.2.0/24 to 10.132.1.0/24. The problem I am facing is that the packets from VPN are forwarded to LAN, as I can see them on the LAN server, but packets from LAN are not forwarded to 10.132.2.0/24, but eaten. I cannot see them with ip xfrm monitor, and tshark on machine egress shows that no ESP or any other kind of packets are being sent. Yet, I can ping the remote network from internal gateway.

Topology: 10.132.2.0/24 (remote network) | internet | 10.132.1.1/24 (internal gateway address) | 10.132.1.2/24 (LAN server)

So. Any ideas what I am missing here? 

~# setkey -DP
(per-socket policy)
        Policy:[Invalid direciton]
        created: Nov 11 10:40:08 2011  lastused: Nov 11 10:40:20 2011
        lifetime: 0(s) validtime: 0(s)
        spid=828 seq=1 pid=19622
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Nov 11 10:40:08 2011  lastused: Nov 11 10:40:20 2011
        lifetime: 0(s) validtime: 0(s)
        spid=819 seq=2 pid=19622
        refcnt=1
10.132.2.0/24[any] 10.132.3.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/192.194.49.60-178.251.144.164/require
        created: Nov 11 10:40:05 2011  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=810 seq=3 pid=19622
        refcnt=1
10.132.2.0/24[any] 10.132.3.0/24[any] any
        in prio def ipsec
        esp/tunnel/192.194.49.60-178.251.144.164/require
        created: Nov 11 10:40:05 2011  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=800 seq=4 pid=19622
        refcnt=1
10.132.3.0/24[any] 10.132.2.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/178.251.144.164-192.194.49.60/require
        created: Nov 11 10:40:05 2011  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=794 seq=5 pid=19622
        refcnt=1
10.132.3.0/24[any] 10.132.2.0/24[any] any
        out prio def ipsec
        esp/tunnel/178.251.144.164-192.194.49.60/require
        created: Nov 11 10:40:05 2011  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=785 seq=6 pid=19622
        refcnt=1
10.132.1.0/24[any] 10.132.2.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/178.251.144.164-192.194.49.60/require
        created: Nov 11 10:40:05 2011  lastused: Nov 11 10:46:56 2011
        lifetime: 0(s) validtime: 0(s)
        spid=778 seq=7 pid=19622
        refcnt=3
10.132.1.0/24[any] 10.132.2.0/24[any] any
        out prio def ipsec
        esp/tunnel/178.251.144.164-192.194.49.60/require
        created: Nov 11 10:40:05 2011  lastused: Nov 11 10:46:48 2011
        lifetime: 0(s) validtime: 0(s)
        spid=769 seq=8 pid=19622
        refcnt=15
10.132.2.0/24[any] 10.132.1.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/192.194.49.60-178.251.144.164/require
        created: Nov 11 10:40:05 2011  lastused: Nov 11 10:46:56 2011
        lifetime: 0(s) validtime: 0(s)
        spid=762 seq=9 pid=19622
        refcnt=3
10.132.2.0/24[any] 10.132.1.0/24[any] any
        in prio def ipsec
        esp/tunnel/192.194.49.60-178.251.144.164/require
        created: Nov 11 10:40:05 2011  lastused: Nov 11 10:46:48 2011
        lifetime: 0(s) validtime: 0(s)
        spid=752 seq=0 pid=19622
        refcnt=15
linux networking ipsec

1 Answers

  1. ...and to answer my own question for the sake of someone else, the solution is to not set fwd policy in setkey.conf (ipsec-tools.conf) or whatever it is called. Setting it yourself just makes things go wrong.

    • 0