[Openswan dev] decrypted packet appears at wrong ipsec interface

Paul Wouters paul at xelerance.com
Fri Aug 29 13:15:06 EDT 2008

On Fri, 29 Aug 2008, hiren joshi wrote:

> I use openswan-2.4.8 (KLIPS).

That is VERY old.

> I have two external interfaces.
> Physical to ipsec interface bindings are: interfaces="ipsec0=eth1 ipsec1=eth2"
> If I define a connection on the first interface (eth1), decrypted
> packet appears on corresponding ipsec interface (ipsec0).

> However if I define the same connection on eth2, decrypted packet
> still appears on ipsec0 instead of ipsec1.

What do you mean the "the same connection"? From IPsec's point of view,
there can only be one unique 'connection'.

The ipsecX devices are a method to get a packet *into* KLIPS. I don't think
it ever kept track on which interface to output the packet. Regular routing
rules would lead the packet onto its destination.

So I think you are seeing the 'normal' behaviour here.

IPsec policies should prevent odd packets coming in from the wrong tunnel,
so once you have the packet, it shouldn't matter which interface you saw
it from in its decrypted form.


More information about the Dev mailing list