[Openswan Users] How to see the outgoing decrypted packets with kernel 2.6 ?

Paul Wouters paul at xelerance.com
Wed Jun 29 22:39:19 CEST 2005

On Wed, 29 Jun 2005, Jacques Valot wrote:

>> Are the NETKEY modules unloaded properly when using KLIPS?
>> Did you disable NAT/MASQ? Check ip_forwarding? disable rp_filter?
>> Any other kernel messages in the log?
>> Paul
> OK. I have unloaded the modules below before to load ipsec.ko (klips) module 
> and to rerun ipsec service :
> ah4, esp4, ipcomp, sha1, des, aes-i586, ipsec
> After this :
> - On eth0 interface, I see both ESP packets (incoming and outgoing)
> - On ipsec0 interface, I see outgoing decrypted packets AND incoming 
> decrypted packets too.
> - The ping now works fine

What version of openswan is this? Are you using the supplied scripts or is this
on an embedded device with your own scripts? The startup scripts should fail
to start openswan when it detects both IPsec stacks are loaded.

> For information :
> # cat /proc/sys/net/ipv4/ip_forward
> 0

> Linux Openswan 2.3.1 (klips)

That is odd. 2.3.1 should have this check.....

> Checking for IPsec support in kernel                            [OK]
> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [FAILED]

It might still work if you are using the iptables FORWARD table to
more finely tune the forwarding, as compared to the on/of switch for the
ip_forward value in /proc.

> Opportunistic Encryption DNS checks:
>  Looking for TXT in forward dns zone: neptune                 [MISSING]
>  Does the machine have at least one non-private address?      [FAILED]

You can ignore these.

> I am not an ipsec specialist !
> Do you thing this situation is correct ?

Yes it is.


   "I am not even supposed to be here today!"  -- Clerk

More information about the Users mailing list