[Openswan Users] "IPsec SA established" but ESP onlt in one direction

Marco Perrando perr at com.dist.unige.it
Fri Aug 27 13:28:43 CEST 2004

Jacco de Leeuw wrote:

>I guess you should see error messages rejecting these packets then.
I can't see any log for this rejection.
Maybe I miss them, but IMHO the software thinks that those packets 
concern someone else that is waiting for some other secure ESP packets, 
and then simply ignores them.
I could have written my hand-made client-server system that exchanges 
ESP packets with some other SPI identifier, and I don't see why pluto 
should complain about the presence of such packets.

>Well, that is easy to find out. Look at the configuration
>of your NAT router and disable IPsec passthrough.
Unfortunately it is not possible since my router has not this option: it has only passthrough mode.
May you suggest a router/vendor for which one can disable that option, please?

What hardware are you using for your tests?


More information about the Users mailing list