[Openswan Users] Drooping of return packets.

Vinod Chandran vinod_chandran at multitech.co.in
Wed Jan 19 10:30:25 CET 2005


Hi,

I am currently using super-freeswan 1.99.7.3 on Kernel 2.4.26.
When the box is booting up, when I try to ping from a node on the LAN 
side, at certain instances it doesnt work.
When I see the tcpdump I find that the ICMP request goes on eth0 
interface , while the ICMP reply goes on to the ipsec0 interface. Since 
there was no tunnel configured, the packet gets dropped.

The problem gets solved when I restart ipsec.

In the known problems section for Kernel 2.6, I found one known issue 
pretty similar to this:

/* In 2.6, IPsec policies are detached from routing decisions. Because 
of this
 design, Opportunistic Encryption on the local LAN is possible with 2.6.

 One side effect: When contacting a node on the local LAN which is 
protected
 by gateway OE, you will get asymmetrical routing (one way through the 
gateway,
 one way direct), and IPsec will drop the return packets.
 To communicate with this node, you must set a "clear" policy for it. /

I wanted some more information on this, since I didnt understand what is 
meant by the "clear policy" listed here, assuming that the two issues 
are the same.

Thanks in advance,
Vinod C



More information about the Users mailing list