[Openswan Users] "IPsec SA established" but ESP onlt in one
direction
Marco Perrando
perr at com.dist.unige.it
Fri Aug 27 11:56:57 CEST 2004
I noticed the following fact.
Maybe it's only a stupid idea.
The log of ipsec reports:
IPsec SA established {ESP=>0x8417224d <0x56cd40bd}
while dumping interface reports:
4.863621 yyy.yyy.yyy.yyy -> xxx.xxx.xxx.xxx ESP ESP (SPI=0x11941194)
More. The SPI number of ESP traffic coming from NAT'ted XP box is ALWAYS 0x11941194.
Is it possible that such identifier does not match with the onr ipec is waiting for?
Actully, by dumping WinXP-side traffic I can see
5.343464 192.168.1.20 -> xxx.xxx.xxx.xxx ESP ESP (SPI=0x56cd40bd)
Where xxx.xxx.xxx.xxx is the public address of VPN gatewat and yyy.yyy.yyy.yyy
is the public address of Win-XP-side router.
I think the fu***** router mangles the ESP packets changing the ESP number.
So this is a router problem, not a configuration problem.
Am I right?
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
More information about the Users
mailing list