[Openswan dev] Tunnel in a tunnel : Magic behaviour

[Paul Wouters]

On Wed, 9 Mar 2005, Francis GASCHET wrote:

> We are using "super-freeswan-1.99.7.3" in our FireWall product (FWB family).

time to upgrade?

> One of our customers uses that gateway in his office and the Greenbow IPSEC 
> client on his portable PC.

Any modern NAT-T will not wokr on that old superfreeswan.

> The problem rises when he is in the premise of a customer of his own : they 
> use a Zyxel Prestige 653 FireWall. That stupid box catch all the IKE packets 
> coming back. So the client never get an answer to its first Main mode 
> packet...

Disable ipsec passthrough if that is an option. Another option is to use NAT-T,
which might make it past the zyxcel.

[ tunnel through tunnel ]

There is no reason why that wouldn't work. I regularly run tunnels within
tunnels. They're production grade stable tunnels.

> Nothing special has been setup in the routes.
> I cannot immagine how the esp packet going out from the kernel across ipsec0 
> can go across KLIPS again !

I am not sure if that is what is really happening.

> Does anybody have any clue on HOW THAT CONFIGURATION can work ?

The simplest 'how' involves removing any device that takes packets not
destined for itself.  Since the Zyxcel is playing a difficult game, this
takes a lot of resources to debug and/or work around.

Paul