[Openswan Users] "IPsec SA established" but ESP onlt in one
direction
Marco Perrando
perr at com.dist.unige.it
Fri Aug 27 13:28:43 CEST 2004
Jacco de Leeuw wrote:
>I guess you should see error messages rejecting these packets then.
>
>
I can't see any log for this rejection.
Maybe I miss them, but IMHO the software thinks that those packets
concern someone else that is waiting for some other secure ESP packets,
and then simply ignores them.
I could have written my hand-made client-server system that exchanges
ESP packets with some other SPI identifier, and I don't see why pluto
should complain about the presence of such packets.
>Well, that is easy to find out. Look at the configuration
>of your NAT router and disable IPsec passthrough.
>
Unfortunately it is not possible since my router has not this option: it has only passthrough mode.
May you suggest a router/vendor for which one can disable that option, please?
What hardware are you using for your tests?
Marco.
More information about the Users
mailing list