[Openswan Users] Drooping of return packets.
Vinod Chandran
vinod_chandran at multitech.co.in
Wed Jan 19 10:30:25 CET 2005
Hi,
I am currently using super-freeswan 1.99.7.3 on Kernel 2.4.26.
When the box is booting up, when I try to ping from a node on the LAN
side, at certain instances it doesnt work.
When I see the tcpdump I find that the ICMP request goes on eth0
interface , while the ICMP reply goes on to the ipsec0 interface. Since
there was no tunnel configured, the packet gets dropped.
The problem gets solved when I restart ipsec.
In the known problems section for Kernel 2.6, I found one known issue
pretty similar to this:
/* In 2.6, IPsec policies are detached from routing decisions. Because
of this
design, Opportunistic Encryption on the local LAN is possible with 2.6.
One side effect: When contacting a node on the local LAN which is
protected
by gateway OE, you will get asymmetrical routing (one way through the
gateway,
one way direct), and IPsec will drop the return packets.
To communicate with this node, you must set a "clear" policy for it. /
I wanted some more information on this, since I didnt understand what is
meant by the "clear policy" listed here, assuming that the two issues
are the same.
Thanks in advance,
Vinod C
More information about the Users
mailing list