[Openswan Users] Can you circumvent IPsec?

Shaheen Ali ali at smallmoon.com
Fri Jan 14 09:02:53 CET 2005

---------------------------- Original Message ----------------------------
Subject: Re: [Openswan Users] Can you circumvent IPsec?
From:    "Shaheen Ali" <ali at smallmoon.com>
Date:    Fri, January 14, 2005 7:52 am
To:      "Paul Wouters" <paul at xelerance.com>

> On Thu, 13 Jan 2005, Shaheen Ali wrote:
>> If I configure an IPsec security association using pluto.  I can then send
>> packets in the clear (IP proto type is TCP, ICMP or UDP) and the
packets are accepted and passed up to the listening application.  The
>> application
>> replies and ipsec encrypts the replies before sending them out on the
wire.  You end up with an assymetric behavior, clear packet comes in,
reply is encrypted.  All due to a misbehaving client.

We are running a 2.4 kernel.  So, I do not think NETKEY is involved.  I
also assumed that you could circumvent IPsec since it only looks at ESP
and AH, and ISAKMP packets.


> You are likely using NETKEY and are sniffing on the ipsec gateway
itself, which is confusing because tcpdump cannot really see what's
going on, due to the way NETKEY is implemented in the kernel. Please use
a router in the middle for checking proper operations.
> I would be *extremely* surprised if KLIPS behaved in this way. It is
very much written with security in mind, and will drop all plaintext
packets for
> which a security association exists.
> Paul

More information about the Users mailing list