[Openswan dev] decrypted packet appears at wrong ipsec interface

Tino Keitel tino.keitel at innominate.com
Mon Sep 8 10:23:17 EDT 2008

On Mon, Sep 08, 2008 at 19:41:28 +0530, hiren joshi wrote:
> Thanks much for your reply.
> > That seems like a step in the right direction. Though we should see if we
> > can determine this properly by looking up the ipsecX interface belonging to
> > the skb->dev->name ethX interface.
> The code was just for a PoC.
> The comment says that there is some motivation for fudging ipsec0 for
> NATed connections.
>         /* XXX fudge it so that all nat-t stuff comes from ipsec0    */
>         /*     eventually, the SA itself will determine which device
>          *     it comes from
>          */
>         {
>           skb->dev = ipsec_get_device(0);
>         }

I also stumbled over this a while ago. The static assignment of ipsec0
seems to be used because skb->dev->hard_header_len needed. IMHO this is
buggy as the wrong hard_header_len may be used if the values differ
between the several ipsec devices.

Normally (without NAT-T) the skb->dev is looked up in ipsec_rcv_init(),
but only if skb->dev was not set before. So this lookup is skipped due
to the above static assignment, which also gives weired tcpdump output
and may cause other problems.


More information about the Dev mailing list