IPSec Fallback mechanism subnet/supernet - Networking

This is a discussion on IPSec Fallback mechanism subnet/supernet - Networking ; Hi, I established two IPSEC tunnels terminating at one hub. Configuration : 1st tunnel : right subnet as 192.168.4.0/24 2nd tunnel: right subnet as 192.168.0.0/16 Both the tunnels have same gateway as 172.16.28.108 I am using freeswan code. Now what ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: IPSec Fallback mechanism subnet/supernet

  1. IPSec Fallback mechanism subnet/supernet

    Hi,

    I established two IPSEC tunnels terminating at one hub.
    Configuration :
    1st tunnel : right subnet as 192.168.4.0/24
    2nd tunnel: right subnet as 192.168.0.0/16

    Both the tunnels have same gateway as 172.16.28.108

    I am using freeswan code.

    Now what I am observing is that, if I disable the 192.168.4.0/24
    tunnel, and send ping request to 192.168.4.1, the ICMP IPSEC SA is
    negotiated for 2nd tunnel (supernet one which is already correctly
    established.). Why this is happening.

    Further, on continuous pinging (to machine on network 192.168.4.0/24),
    a new IPSEC SA (for tunnel 192.168.0.0/26) is negotiated on every
    request.

    On debugging I found that when I disable a perticular tunnel, the path
    corresponding to it is marked as trapped. Now klips capture the
    outbound packets on the trapped path and tries to send it through
    another closest matched active path. Thus in this scenrio, klips is
    capturing the outbound packets destined for 192.168.4.0/24 subnet and
    is trying to transfer it through 192.168.0.0/16. Is my inference
    correct.

    If this is the default behavior, then why IPSEC SA is being
    renegotiated for every outbound ICMP packet. (IPSEC SA should be
    established once and then used for every evey ping request)

    Please if you have any hint or refernce then please do share it .

    Thanking You
    Anshul Makkar

  2. Re: IPSec Fallback mechanism subnet/supernet

    Hi,

    Please reply. I am stuck.

    Thanks
    Anshul Makkar


    On Jan 9, 9:15 am, anshul makkar wrote:
    > Hi,
    >
    > I established two IPSEC tunnels terminating at one hub.
    > Configuration :
    > 1st tunnel : right subnet as 192.168.4.0/24
    > 2nd tunnel: right subnet as 192.168.0.0/16
    >
    > Both the tunnels have same gateway as 172.16.28.108
    >
    > I am using freeswan code.
    >
    > Now what I am observing is that, if I disable the 192.168.4.0/24
    > tunnel, and send ping request to 192.168.4.1, the ICMP IPSEC SA is
    > negotiated for 2nd tunnel (supernet one which is already correctly
    > established.). Why this is happening.
    >
    > Further, on continuous pinging (to machine on network 192.168.4.0/24),
    > a new IPSEC SA (for tunnel 192.168.0.0/26) is negotiated on every
    > request.
    >
    > On debugging I found that when I disable a perticular tunnel, the path
    > corresponding to it is marked as trapped. Now klips capture the
    > outbound packets on the trapped path and tries to send it through
    > another closest matched active path. Thus in this scenrio, klips is
    > capturing the outbound packets destined for 192.168.4.0/24 subnet and
    > is trying to transfer it through 192.168.0.0/16. Is my inference
    > correct.
    >
    > If this is the default behavior, then why IPSEC SA is being
    > renegotiated for every outbound ICMP packet. (IPSEC SA should be
    > established once and then used for every evey ping request)
    >
    > Please if you have any hint or refernce then please do share it .
    >
    > Thanking You
    > Anshul Makkar



+ Reply to Thread