Portrait of Edd Dumbill, taken by Giles Turnbull

Subscribe to updates

Feed icon Atom or RSS

or get email updates

What I make

a conference management web application

XTech Conference
a European web technology conference

IPSec, redux the first

Since setting up IPSec to enable me to tunnel back into my home network, I've not been entirely happy with the stability of FreeS/WAN. So I decided to try the 2.4 backport of the IPSec functionality from the new Linux 2.6 kernel.

There's a brief HOWTO available on setting this up. The user-space tools are certainly much less complex than FreeS/WAN, although it's true that I've more familiarity with IPSec terms than I had before.

The long and the short of it is that I've not had any success with the 2.4 backport. I got off to a complete nonstarter by trying with one end of the tunnel behind NAT (even though I've had that working with FreeS/WAN.) Moving the tunnel end outside of NAT worked a lot better, except that I seemed to fall at the final hurdle. Using the excellent network sniffing tool ethereal, I was able to see the tunnelled packets arrive back at the local interface on the client, but somehow they never quite made it to the application I was using.

For example, I tried pinging a host on the far end of the IPSec tunnel. Ethereal showed the ESP encrypted packet return, and then the ICMP Echo reply which had been decrypted, which looked just like what you get with a normal ping. The missing link was that the ping command never got to hear about it. As I have next to no Linux kernel knowledge, I'm completely baffled.

There wasn't a huge amount of googleable information on the Linux 2.6 IPSec support yet, either. It's so frustrating when you get so nearly there with something.

The conclusion to this is that for now I'll probably give up with IPSec tunnelling until 2.6 is released, and then try again. Though I got FreeS/WAN working, simple ssh based tunnels will serve me as well and present less pain in operation.

blog comments powered by Disqus

You are reading the weblog of Edd Dumbill, writer, programmer, entrepreneur and free software advocate.
Copyright © 2000-2012 Edd Dumbill