debian 6.0: About ipsec tunnel: outgoing traffic not encrypted

[Min Wang <ser.basis@gmail.com>]

Hi

I tried to setup ipsec tunnel on debian 6.0, following http://www.ipsec-howto.org/x304.html  using setkey/racoon
(ipsec-tools/racoon 0.7.3-12)

The diagram is like:
                                    local-gw                                                       remote-gw
a.0/25  ---(a.126, xxx.3)  <----Internet ---> (yyy.5, b.254) --->b.0/24

The /etc/ipsec-tools.conf  on left side is:

spdadd a.0/25 b.0/24 any -P out ipsec
    esp/tunnel/xxx.3-yyy.5/unique;

spdadd b.0/24 a.0/25 any -P in ipsec
    esp/tunnel/yyy.5-xxx.3/unique;

The the racoon log showed the SA established OK

INFO: IPsec-SA established: ESP/Tunnel yyy.5[0]->xxx.3[0] spi=217278943(0xcf369df)
IPsec-SA established: ESP/Tunnel xxx.3[500]->yyy.5[500] spi=1868651708(0x6f615cbc)

But however the outgoing traffic from a.0/25 network seems go out without using IPSec.  ( incoming traffic from remote site is ok, using the tshark it showed that ping from b.0/24 to a.0/25 use ESP )

according to:  http://ipsec-tools.sourceforge.net/checklist.html

gateway's traffic goes from secure interface

This could be achieved by routing local traffic via internal (secure) interface:

ip route add other.network/mask via default.gw src gateway's.private.addr

or alternatively, it is possible to set up extra policies for gateway-remote_networks, gateway-gateway and local_networks-gateway traffic.

so I add
   ip route add b.0/24 via  xxx.3 src a.126

ip route show:
a.0/25 dev eth1  proto kernel  scope link  src a.126
b.0/24 via xxx.3 dev eth0  src a.126
default via xxx.1 dev eth0

 
  But it still does NOT use IPsec to send out the outgoing traffic.


   Anything could be wrong?




thanks


Min