[Openswan Users] "IPsec SA established" but ESP onlt in one
direction
Paul Wouters
paul at xelerance.com
Fri Aug 27 16:53:27 CEST 2004
On Fri, 27 Aug 2004, Jacco de Leeuw wrote:
>> The SPI number of ESP traffic coming from NAT'ted XP box
>> is ALWAYS 0x11941194.
>
> Hm. Odd.
>
>> Is it possible that such identifier does not match with the
>> onr ipec is waiting for?
>
> I guess you should see error messages rejecting these packets then.
Only with klipsdebug enabled. Otherwise it would be a trivial DOS.
>> I think the fu***** router mangles the ESP packets changing the ESP number.
>> So this is a router problem, not a configuration problem.
Looks like it. What router/device is this? Can you add this to the Wiki?
Paul
More information about the Users
mailing list