[Openswan dev] RE: [Openswan Users] Strange ping response (fwd)

Paul Wouters paul at xelerance.com
Wed Sep 7 01:11:51 CEST 2005

Forwarded from the user list. Perhaps Michael or Herbert know what is going on
here? It seems like a bug? Using whack or auto should not have different results.

I guess we need to build a testcase for this. I have opened a bug on this.


---------- Forwarded message ----------
Date: Tue, 6 Sep 2005 16:20:04 -0400
From: George Hadjichristofi <ghadjich at vt.edu>
Cc: users at openswan.org
To: 'Paul Wouters' <paul at xelerance.com>
Subject: RE: [Openswan Users] Strange ping response


You are right.
If I "sniff" in the middle I get no cleartext packets.

However, I did notice that if I use "whack" to manually start the
connection instead of "ipsec auto --up", I don't see the second
cleartext packet on either G1 or G2.
In addition, if I automatically start the connection the policy database
on G2 has 2 entries going from G1 to G2 and 1 entry going from G2 to G1
and vice versa.
If I manually start the connection with "whack" then G2 has 1 policy
entry going from G1 to G2 and 1 policy entry going from G2 to G1. I
therefore thought that the automatic mechanism does not properly setup
the policies on the Gateways and induces the extra packet.

Is there any correlation?
Maybe I am not understanding the underlying mechanism correctly.


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: Tuesday, September 06, 2005 2:50 PM
To: George Hadjichristofi
Cc: users at openswan.org
Subject: Re: [Openswan Users] Strange ping response

On Tue, 6 Sep 2005, George Hadjichristofi wrote:

> After I successfully initiate a connection I ping from G1 to G2. G2
> will return 2 packets, one cleartext and one encrypted. If I ping from

> G2 to G1 then G1 will return two packets.
> Why does the responding gateway send 2 packets back?

It works properly. Running tcpdump on the gateway using NETKEY does not.
Packets are modified by NETKEY after tcpdump seems them.

Put a hub in the middle and verify on a third machines you only see
encrypted packets.

Users mailing list
Users at openswan.org http://lists.openswan.org/mailman/listinfo/users

More information about the Dev mailing list