[Openswan Users] Can you circumvent IPsec?

[Paul Wouters]

On Thu, 13 Jan 2005, Shaheen Ali wrote:

> If I configure an IPsec security association using pluto.  I can then send
> packets in the clear (IP proto type is TCP, ICMP or UDP) and the packets
> are accepted and passed up to the listening application.  The application
> replies and ipsec encrypts the replies before sending them out on the
> wire.  You end up with an assymetric behavior, clear packet comes in,
> reply is encrypted.  All due to a misbehaving client.

You are likely using NETKEY and are sniffing on the ipsec gateway itself,
which is confusing because tcpdump cannot really see what's going on, due
to the way NETKEY is implemented in the kernel. Please use a router in
the middle for checking proper operations.

I would be *extremely* surprised if KLIPS behaved in this way. It is very
much written with security in mind, and will drop all plaintext packets for
which a security association exists.

Paul