[Openswan dev] Tunnel in a tunnel : Magic behaviour
paul at xelerance.com
Wed Mar 9 14:54:32 CET 2005
On Wed, 9 Mar 2005, Francis GASCHET wrote:
> We are using "super-freeswan-188.8.131.52" in our FireWall product (FWB family).
time to upgrade?
> One of our customers uses that gateway in his office and the Greenbow IPSEC
> client on his portable PC.
Any modern NAT-T will not wokr on that old superfreeswan.
> The problem rises when he is in the premise of a customer of his own : they
> use a Zyxel Prestige 653 FireWall. That stupid box catch all the IKE packets
> coming back. So the client never get an answer to its first Main mode
Disable ipsec passthrough if that is an option. Another option is to use NAT-T,
which might make it past the zyxcel.
[ tunnel through tunnel ]
There is no reason why that wouldn't work. I regularly run tunnels within
tunnels. They're production grade stable tunnels.
> Nothing special has been setup in the routes.
> I cannot immagine how the esp packet going out from the kernel across ipsec0
> can go across KLIPS again !
I am not sure if that is what is really happening.
> Does anybody have any clue on HOW THAT CONFIGURATION can work ?
The simplest 'how' involves removing any device that takes packets not
destined for itself. Since the Zyxcel is playing a difficult game, this
takes a lot of resources to debug and/or work around.
More information about the Dev