[Openswan dev] decrypted packet appears at wrong ipsec interface

Paul Wouters paul at xelerance.com
Mon Sep 8 10:09:24 EDT 2008

On Mon, 8 Sep 2008, hiren joshi wrote:

>> That seems like a step in the right direction. Though we should see if we
>> can determine this properly by looking up the ipsecX interface belonging to
>> the skb->dev->name ethX interface.
> The code was just for a PoC.

I know. Thanks for that.

> The comment says that there is some motivation for fudging ipsec0 for
> NATed connections.
>        /* XXX fudge it so that all nat-t stuff comes from ipsec0    */
>        /*     eventually, the SA itself will determine which device
>         *     it comes from
>         */
>        {
>          skb->dev = ipsec_get_device(0);
>        }
> Would it be proper to override this fudging by mapping ipsecX to ethX?

Yes, that would be the proper fix. I am not sure yet if there was a
reason this needed to be fudged.


More information about the Dev mailing list