[Openswan dev] "auth failed on incoming packet" when using NAT-T
Paul Wouters
paul at xelerance.com
Tue Dec 7 22:02:34 CET 2004
On Tue, 7 Dec 2004, Markus Hanauska wrote:
> Neither the hash, nor the hashed data is touched during en- and
> de-capsulation. Both sides use HMAC-MD5 for hashing and they both use
> the same HASH key methinks. At least on the Racoon side, that is easy
> to find out:
> Any idea how to verify that OpenSWAN uses the same 3DES and HMAC keys
> on its side? I can find the HMAC keys somewhere in the pluto log, but
> any idea how to get this info for an already established tunnel?
Use ipsec auto --status, or check the various files in /proc/net/ipsec/
Racoon does allow you to setup bogus type connections, for instance with
compression by adding another layer of IPIP. Openswan will drop those kind
of packets. Though you already said you had disabled compression. Can you
show both your openswan and racoon configuration?
Paul
More information about the Dev
mailing list