Hi
I want to check if my ipsec config is appropriate I have two sections for two
interfaces with same subnet.I would think the peer which has clear section in
the same subnet in the opportunistic mode will communicate in clear. But Isee
both interfaces successfully negotiate.
See below
Node 1
conn private-or-clear
type=transport
auto=route
ikev2=insist
nic-offload=packet
negotiationshunt=passthrough
failureshunt=passthrough
authby=null
rightid=%null
leftid=%null
right=%opportunisticgroup
left=10.106.2.33
conn clear
type=passthrough
authby=never
left=10.106.2.34
right=%group
auto=route
Node 2
conn private-or-clear
type=transport
auto=route
ikev2=insist
nic-offload=packet
negotiationshunt=passthrough
failureshunt=passthrough
authby=null
rightid=%null
leftid=%null
right=%opportunisticgroup
left=10.106.2.35
conn clear
type=passthrough
authby=never
left=10.106.2.36
right=%group
auto=route
One would expect 33->35 successful and
34->35 oe-failing
But instead clear doesn’t make any difference.
# ip x s s
src 10.106.2.35 dst 10.106.2.34
proto esp spi 0xf434ae77 reqid 16421 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes))
0xacb918740fb18e98627f5dd264eb7df6f81934df34ad244b8a2245e29910ae622770eecb 128
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
crypto offload parameters: dev clre0 dir out mode packet
sel src 10.106.2.35/32 dst 10.106.2.34/32
src 10.106.2.34 dst 10.106.2.35
proto esp spi 0xd0259198 reqid 16421 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes))
0x56a9e4f398d5c837726fbcb34504eeb658ae539b7020baf6ff810b34938c847d8159358d 128
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
crypto offload parameters: dev clre0 dir in mode packet
sel src 10.106.2.34/32 dst 10.106.2.35/32
src 10.106.2.35 dst 10.106.2.33
proto esp spi 0xd65f1844 reqid 16417 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes))
0xab4f001e87337d75a826774e24c43161d6140f0646a368883bd45c6a9995c52a0d1dc303 128
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
crypto offload parameters: dev clre0 dir out mode packet
sel src 10.106.2.35/32 dst 10.106.2.33/32
src 10.106.2.33 dst 10.106.2.35
proto esp spi 0xee4d94fc reqid 16417 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes))
0x92231b30eed51cb8d74934fde9427299581cb5d92f37557ad26cb6c509e6695997bf56cd 128
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
crypto offload parameters: dev clre0 dir in mode packet
sel src 10.106.2.33/32 dst 10.106.2.35/32
Not sure whats wrong in my config here.
Thanks
Mamta
_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]
