IPSec rules ignored

[nickolay]

Hi, All!

I'm not sure if this a correct place to ask, but I haven't found separate mailing list for IPSec.

My problem is that security policies that I set via setkey are silently ignored. I may have racoon running, but if I ping host falling under my rules (for example, 172.20.1.1) I get the same error as if rule didn't exist and racoon doesn't attempt to initiate IKE sequence.

Here is the relevant part of my network stack:

kernel-2.6.2 built and running on AMD64
SpeedTouch USB DSL modem which after firmware is loaded is visible as ATM device with VPI/VCI 0.0.35
RFC 2684 Ethernet/ATM bridge visible as interface "nas0"
Internet interface is PPPoE device "ppp0" running over "nas0"

Built-in 3Com Gigabit LOM (3C940) driven by sk98lin driver is interface eth0. Other network equipment is removed from machine to avoid interference.

In general, I find native IPSec configuration a little bit "strange" because usually tunneling interface is used for IPSec connections and it then may be used for routing.

Another question is how IPSec is really expected to work if there if tunnel interface doesn't exist, in particular, how routing and NAT decisions are expected to be made.

Some more information that may be relevant is attached.

Is it a problem in linux kernel or I'm doing something wrong?
I can provide as many information as required to resolve the problem.

Nickolay Samofatov

Attachment: dmesg
Description: Binary data

Attachment: ifconfig.out
Description: Binary data

Attachment: setkey_policy
Description: Binary data

Attachment: racoon.conf
Description: Binary data

Attachment: racoon_output
Description: Binary data

Attachment: ip_route_output
Description: Binary data