-   Linux - Software (
-   -   IPsec on Debian Probable Routing Issue in Config File (

danmartinj 11-11-2009 11:40 AM

IPsec on Debian Probable Routing Issue in Config File
Hello Fellow Linux Users,
I was hoping someone could help me with a possible routing issue. I have a linux network setup like this: This network Does Work


current route setup example on host C:
Destination-- Gateway -- Genmask-- Flags Metric-- Ref Use Iface
localnet * U 0 0 0 eth0 * U 0 0 0 eth0 UG 0 0 0 eth0
default UG 0 0 0 eth0

Its 4 Debian machines on a single switch that is able to communicate via routing and a couple of virtual network interfaces.

I have got ipsec and openvpn to work all in basic client to client configurations or client to server. I cannot for the life of me get them to work in network to network configuration. My latest effort consists of ipsec-tools.conf on Host C

#!/usr/sbin/setkey -f
# SPD for gateway A (

#Security Policy Database Information
spdadd any -P out ipsec

spdadd any -P in ipsec

#Now Create the Kyes to be Used
# AH SAD entries with 160 bit keys
add ah 0x200 -A hmac-sha1 0x46915c30ed7e2465b42861b6ab19f2772813020c;
add ah 0x300 -A hmac-sha1 0xc4dac594f8228e0b94a54758f7fbf2fdf4e37f3e;

# ESP SAD entries with 192 bit keys
add esp 0x201 -E rijndael-cbc 0xa3993b3dfc41ef0a1aa8d168a8bf2c27e48249ac17b61e09;
add esp 0x301 -E rijndael-cbc 0x8f6498928ba354bd45cfad147f54c67b3b742896b3bafc02;

I have also tried to use: spdadd any -P fwd ipsec instead of out because of my current routing rules. I am pretty confused on this issue. I really believe its my routing thats killing me here. On Host B I have the exact configuration but is mirrored. If someone has any ideas I am all ears!! By the way the main tutorials I have been using are:



danmartinj 11-11-2009 02:09 PM

IPsec on Debian Probable Routing Issue in Config File
Hello again folks,
I just wanted to post the other ipsec-tools.conf that I have been using.

#!/usr/sbin/setkey -f

# Flush the SAD and SPD

# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity)
# and authentication using 128 bit long keys

#These are the nodes to be protected "internal LAN Routers"
add esp 0x201 -m tunnel -E 3des-cbc
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;

#These are the nodes to be protected "internal LAN Routers"
add esp 0x301 -m tunnel -E 3des-cbc
-A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;

# Security policies
#Packets using these source and destination addresses shall be protected
spdadd any -P out ipsec

spdadd any -P in ipsec

All times are GMT -5. The time now is 05:18 AM.