similar to: kptd & ipsec

Hello all, My question: - - - - - - - Does anybody know when the reverse path filtering occurs as the packet traverses the kernel? Does it happen before NF_IP_PRE_ROUTING (PREROUTING) or not? Does it only happen at route selection time? What I have tried to do to find the answer: - - - - - - - - - - - - - - - - - - - - - - I find a posting (from many years ago) [0], which suggests that this

Hi all, ive been reading lartc howto, im new about traffic shaping/police. As far as red (chapter 9 complete) i saw that first the packet passes at the ingress qdisc, then it passes to the ip stack if the packet is directed to the box or its forwarded (is my case), then it falls to the egress classifier/s. Now, i understand if i have an ipsec vpn at the outside interface, the egress

Thank you for your help. It generates this script : tc qdisc add dev eth0 handle 1:0 root htb default 2 tc class add dev eth0 parent 1:0 classid 1:1 htb rate 75000bps ceil \ 75000bps tc class add dev eth0 parent 1:0 classid 1:2 htb rate 125000bps tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u32 \ 0xa000001 0xffffffff at 12 classid 1:1 But I thought it was necessary to

Lots of updates to the IPSEC documentation on http://lartc.org/howto/lartc.ipsec.html The page lists 4 patches which should be applied to 2.5.47 and 1 patch to be applied to the kame racoon Internet Key Exchange daemon. If these are all applied, everything I throw at it works, modulo some annoying logmessages. Especially new & cool is http://lartc.org/howto/lartc.ipsec.automatic.keying.html

hi there, I just wanted to share a recent discovery I did on how to setup a secure VPN implementation for linux 2.4.x (I''m using 2.4.20 but it should be working, as far as documentation states, for > 2.4.18) without using FreeS/WAN. The tool (ipsec_tunnel: http://ringstrom.mine.nu/ipsec_tunnel/, by Tobias Ringström) is a kernel module based on ipip and ip_gre. It uses CyptoAPI to

Hi, is there a good howto for a Linux VPN-Gateway using racoon and IPSec provided with the actual kernel 2.6.9? Also one for how to set up a connection to the gateway using Windows XP and the client shipped with it? _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi there, I am just starting out with the TC and iproute2 tools. I have given Bert Hubert''s Linux Advanced Routing And Traffic Control Howto a couple of reads but know I don''t have a full grasp of concepts yet. My immediate need is to make sure ipsec traffic between two linux firewall/routers is given the greatest priority over all other traffic. In more detail I have

Hello all, I am configuring a vpn between freeswan and windows 2000. I am following the steps at http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html, to get the VPN up and running. using this I have a ppp tunnel between windows and linux, which is inside a l2tp tunnel which is again encrypted by IPSec. (the url gives the configuration in detail and I have followed it exactly) Now the

Hi, how can I filter IPsec traffic with u32 filters? I know IPsec needs Port 500/UDP and IP protocols 50 and 51. I know how to get the port stuff, but how can I make u32 to match the protocol number? thx, cb _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

I am attempting to setup a simple network-to-network IPSec tunnel. The tunnel appears to be setup correctly because I can make connections between the networks and tcpdump shows esp packets going between the two gateways. My problem is that I cannot make connections from one gateway to the other through the tunnel. I think that this is a routing issue. Here is some more info about my network:

Martin, If I understand whay you are suggesting, there is a problem in your design: It will only work if you use Hide NAT. The problem is that the ip_src == IP0 rule is wrong: The ip_src is not changed by the router and it is not equal to the IP of any of the machine interfaces. Can you think of a solution that will work in the following reasonabl scenario: Lets say I have two T1 internet

Hi, Is it possible to use "null encryption" in IPSec protocl? Regards HASSAN _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Hi all, After reading a lot and searching on the INternet, I want to filter ASP and/or AH traffic According to /etc/protocols ESP and AH are IP protos 50 and 51 so this u32 filter should work ? (I can use fw filter because the firewall/VPN can''t mark pakets :-( tc filter add dev ethX parent X:0 protocol ip prio X u32 match ip protocol 50 0xff flowid X:XX ? Can someone confirm this ?

I am machines on IPsec VPN which is a subnet of my bigger LAN ( ie I have machines on the LAN which is not in the VPN ), specifically :- 192.168.132.0/29:0 -> internet ---> 192.168.1.192/27:0 ( local subnet ---> internet--> remote subnet ) # ip route list ... 192.168.1.192/27 via 21x.18x.11x.8x dev ipsec0 192.168.1.0/24 via 192.168.15.146 dev eth0 ... Now, the machines in the

>Alen, > > : can i add HTB rule on virtual interface? > : example: eth0:0 > >First, it''s not really a virtual interface--it''s just a convention from the old days of IP aliasing to have names like eth0:0. > The IP exists and is active on an interface, eth0 in your case. > The short answer is "no". Traffic control occurs just prior to the

Hi, I''m not sure this is the right list for this type of question... as IPSec isn''t exactly routing. If someone can point me to a dedicated IPSec list (for the 2.6 implementation) i''d be very grateful :) Onto the actual problem... I''m going to be using IPSec to secure a wireless access point. So far, in my experimentation, i have the tunnel from

I just wanted to drop a success notice to the list. We always hear the failures, and rarely the successes! ;-) After switching from FC1 and freeS/WAN ipsec to the new native linux 2.6 ipsec (ie: setkey-based) my QoS code suddenly started working properly! Previously, with FC1 and freeS/WAN, I found it impossible and rather buggy (kernel panics!) to get QoS to make any difference at all. My

Hi all, I want to allocate bandwidth for ipsec interface using CBQ/tc. Suppose the conf. file is like this, DEVICE=ipsec0,10Mbit,1Mbit RATE=128Kbit WEIGHT=10Kbit PRIO=5 RULE=192.128.1.0/24 Does it work or What else options need to be taken care like ipsec packets/protocol/port # etc.? C''d anybody suggest please? regds, Srikanth. _______________________________________________ LARTC

Hi all :-) I have a problem with my current configuration of ipsec. I''m using ipsec with kernel 2.6 and racoon. I have two computers linked by wireless cards. The first (192.168.1.1 Zeus) is connected to internet through a DSL modem and the second (192.168.1.2 Memphis) is accessing internet through the first. I want with ipsec to encrypt all datas between the two computers. I can

Hi! I''m testing IPSec tunnels, having the following test schemma: Host A - eth0: 192.168.1.67 eth1: 192.168.10.1 Host B - eth0: 192.168.1.254 eth1: 192.168.20.1 I''ve succesfully configured an IPSec tunnel in order to safely communicate from 192.168.10.0/24 (which is obviously behind Host A), and 192.168.20.0/24 (obviously behind Host B) In this test