ipsec

IPSec Fallback mechanism subnet/supernet - SpeedGuide.net Broadband Community Registry Tweaks Reviews Articles News FAQ Tools Broadband Hardware Links Forums Gallery You need to have JavaScript enabled to get the most of our website SpeedGuide.net Broadband Community > Usenet Newsgroups > comp.dcom.vpn IPSec Fallback mechanism subnet/supernet User Name Remember Me? Password Register FAQ Members List Calendar Search Today's Posts Mark Forums Read Thread Tools Display Modes 01-08-08, 10:17 PM #1 anshul makkar Guest Posts: n/a IPSec Fallback mechanism subnet/supernet Hi, I established two IPSEC tunnels terminating at one hub. Configuration : 1st tunnel : right subnet as 192.168.4.0/24 2nd tunnel: right subnet as 192.168.0.0/16 Both the tunnels have same gateway as 172.16.28.108 I am using freeswan code. Now what I am observing is that, if I disable the 192.168.4.0/24 tunnel, and send ping request to 192.168.4.1, the ICMP IPSEC SA is negotiated for 2nd tunnel (supernet one which is already correctly established.). Why this is happening. Further, on continuous pinging (to machine on network 192.168.4.0/24), a new IPSEC SA (for tunnel 192.168.0.0/26) is negotiated on every request. On debugging I found that when I disable a perticular tunnel, the path corresponding to it is marked as trapped. Now klips capture the outbound packets on the trapped path and tries to send it through another closest matched active path. Thus in this scenrio, klips is capturing the outbound packets destined for 192.168.4.0/24 subnet and is trying to transfer it through 192.168.0.0/16. Is my inference correct. If this is the default behavior, then why IPSEC SA is being renegotiated for every outbound ICMP packet. (IPSEC SA should be established once and then used for every evey ping request) Please if you have any hint or refernce then please do share it . Thanking You Anshul Makkar anshul makkar 01-14-08, 11:44 AM #2 anshul makkar Guest Posts: n/a Re: IPSec Fallback mechanism subnet/supernet Hi, Please reply. Thanks On Jan 9, 9:17*am, anshul makkar wrote: > Hi, > > I established *two IPSEC tunnels terminating at one hub. > Configuration : > 1st tunnel : right subnet as 192.168.4.0/24 > 2nd tunnel: right subnet as 192.168.0.0/16 > > Both the tunnels have same gateway as 172.16.28.108 > > I am using freeswan code. > > Now what I am observing is that, if I disable the 192.168.4.0/24 > tunnel, and send ping request to 192.168.4.1, the ICMP IPSEC SA is > negotiated for 2nd tunnel (supernet one which is already correctly > established.). Why this is happening. > > Further, on continuous pinging (to machine on network 192.168.4.0/24), > a new IPSEC SA (for tunnel 192.168.0.0/26) is negotiated on every > request. > > On debugging I found that when I disable a perticular tunnel, the path > corresponding to it is marked as trapped. Now klips capture the > outbound packets on the trapped path and tries to send it through > another closest matched active path. Thus in this scenrio, klips is > capturing the outbound packets destined for 192.168.4.0/24 subnet and > is trying to transfer it through 192.168.0.0/16. Is my inference > correct. > > If this is the default behavior, then why IPSEC SA is being > renegotiated for every outbound ICMP packet. (IPSEC SA should be > established once and then used for every evey ping request) > > Please if you have any hint or refernce then please do share it . > > Thanking You > Anshul Makkar anshul makkar 02-22-08, 02:58 AM #3 . Guest Posts: n/a Re: IPSec Fallback mechanism subnet/supernet On 14 Jan, 17:44, anshul makkar wrote: > Hi, > > Please reply. > Thanks > > On Jan 9, 9:17 am, anshul makkar wrote: > > > Hi, > > > I established two IPSEC tunnels terminating at one hub. > > Configuration : > > 1st tunnel : right subnet as 192.168.4.0/24 > > 2nd tunnel: right subnet as 192.168.0.0/16 > > > Both the tunnels have same gateway as 172.16.28.108 > > > I am using freeswan code. > > > Now what I am observing is that, if I disable the 192.168.4.0/24 > > tunnel, and send ping request to 192.168.4.1, the ICMP IPSEC SA is > > negotiated for 2nd tunnel (supernet one which is already correctly > > established.). Why this is happening. > > > Further, on continuous pinging (to machine on network 192.168.4.0/24), > > a new IPSEC SA (for tunnel 192.168.0.0/26) is negotiated on every > > request. > > > On debugging I found that when I disable a perticular tunnel, the path > > corresponding to it is marked as trapped. Now klips capture the > > outbound packets on the trapped path and tries to send it through > > another closest matched active path. Thus in this scenrio, klips is > > capturing the outbound packets destined for 192.168.4.0/24 subnet and > > is trying to transfer it through 192.168.0.0/16. Is my inference > > correct. > > > If this is the default behavior, then why IPSEC SA is being > > renegotiated for every outbound ICMP packet. (IPSEC SA should be > > established once and then used for every evey ping request) > > > Please if you have any hint or refernce then please do share it . > > > Thanking You > > Anshul Makkar Hi IPSec tuto: http://secure-vpn.com/PPTP-L2TP.rar . « Previous Thread | Next Thread » Thread Tools Show Printable Version Email this Page Display Modes Linear Mode Switch to Hybrid Mode Switch to Threaded Mode Posting Rules You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are Off [IMG] code is Off HTML code is Off Forum Jump User Control Panel Private Messages Subscriptions Who's Online Search Forums Forums Home Rules and Announcements Rules and Announcements Broadband & Networking General Broadband Forum Broadband Tweaks Routers & Internet Sharing Networking Forum Wireless Networking Security Firewalls & Ports Security Software Updates Anti-Spyware, Spam Control & Privacy Provider Discussion and Reviews US Broadband Providers International Broadband Providers Asian and Middle Eastern Providers Australia / New Zealand Canadian Providers Central/South American Providers UK and European Providers Dialup / Other connectivity General Discussions General Discussion Board SG Contests Hardware & Overclocking Cases & Modding Software Forum Programming Forum Gaming Console Gaming Digital Media and Photography Automotive SG Distributed Computing Marketplace - Buy/Sell/Trade/Hot Deals Feedback, Suggestions & Questions Usenet Newsgroups alt.comp.networking.routers alt.computer.security alt.internet.wireless comp.dcom.modems.cable comp.dcom.xdsl comp.dcom.vpn comp.security.firewalls Miscellaneous Broadband Archive General Topics Archive Similar Threads Thread Thread Starter Forum Replies Last Post Native IPSec installation Racoon,Phase 2 does not start HELP!!!! jkneb Software Forum 0 11-22-07 04:22 PM VPN client using IPSec not working - could it be the cable modem? metropole Routers & Internet Sharing 2 02-05-07 09:06 PM All times are GMT -5. The time now is 01:26 PM. -- SG Dark -- SG Light -- SG Halloween Contact Us - SpeedGuide.net - Archive - Privacy Statement - Top Powered by vBulletin® Version 3.6.9Copyright ©2000 - 2008, Jelsoft Enterprises Ltd. Copyright © 1998-2008, Speed Guide, Inc. разделы брэнд гостинницы санкт-питербурга мультиметры цифровой красный площадь сегодня агат кристи билет доставка санкт подшипниковый узел фарфор portofino mobil pegasus цвет гармония лечение папиллома базовый шпатлевка трехфазный электросчетчик thuraya de luxe 5040.11 автошкола kyiv apartments service бахила ipsec