Modify

Opened 4 years ago

Closed 3 years ago

#15162 closed defect (duplicate)

ipsec-tools doesn't create fwd policy

Reported by: anonymous Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: Cc:

Description

Using r39638.
Found that ipsec-tools package version 0.8.1 doesn't create forward policy, which is required for kernel >=2.6.41
Without fwd policy packets can reach vpn gw (10.0.168.1 in my setup), but can't travel beyond it, into local subnet 10.0.168.0/24.

root@OpenWrt-GALEN:~# setkey -DP
(per-socket policy)
        Policy:[Invalid direction]
        created: Mar  7 13:30:24 2014  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=44 seq=1 pid=2278
        refcnt=1
(per-socket policy)
        Policy:[Invalid direction]
        created: Mar  7 13:30:24 2014  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=35 seq=2 pid=2278
        refcnt=1
(per-socket policy)
        Policy:[Invalid direction]
        created: Mar  7 13:30:24 2014  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=28 seq=3 pid=2278
        refcnt=1
(per-socket policy)
        Policy:[Invalid direction]
        created: Mar  7 13:30:24 2014  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=19 seq=4 pid=2278
        refcnt=1
10.0.100.0/24[any] 10.0.168.0/24[any] 255
        in ipsec
        esp/tunnel/82.204.179.46-213.87.8.125/unique#16385
        created: Mar  7 13:30:24 2014  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=8 seq=5 pid=2278
        refcnt=1
10.0.168.0/24[any] 10.0.100.0/24[any] 255
        out ipsec
        esp/tunnel/213.87.8.125-82.204.179.46/unique#16384
        created: Mar  7 13:30:24 2014  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1 seq=0 pid=2278
        refcnt=1

Appempt to manually creating fails:

root@OpenWrt-GALEN:~# echo "spdadd 10.0.100.0 10.0.168.0 any -P fwd ipsec esp/tunnel/82.204.179.46-213.87.8.125/require;" | setkey -kc
warning: -r and -k options are not supported in this environment

Trying setkey without -k option:

root@OpenWrt-GALEN:~# echo "spdadd 10.0.100.0 10.0.168.0 any -P fwd ipsec esp/tu
nnel/82.204.179.46-213.87.8.125/require;" | setkey -c
File exists.

Attachments (0)

Change History (2)

comment:1 Changed 4 years ago by anonymous

seems to be a duplicate of #14141

comment:2 Changed 3 years ago by nbd

  • Resolution set to duplicate
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.