[Openswan Users] OpenSwan 2.4.0 NETKEY implementation

Ethy H. Brito ethy.brito at inexo.com.br
Wed Oct 5 09:46:06 CEST 2005


I see one incovenience with NETKEY implementation: it is not possible to correctly
filter packets that passes thru the tunnel. Please correct me if I'm wrong.

I 'ping' from one side to the other and got this:

08:26:49.686127 IP > ESP(spi=0x138babe7,seq=0x445)
08:26:49.686127 IP > icmp 64: echo request seq 57603
08:26:49.686358 IP > ESP(spi=0xd05eb45a,seq=0x441)

08:26:50.686147 IP > ESP(spi=0x138babe7,seq=0x446)
08:26:50.686147 IP > icmp 64: echo request seq 57859
08::26:50.686379 IP > ESP(spi=0xd05eb45a,seq=0x442)

As you can see, the packets that are encrypted does not appear in the output
interface where the tunnel is attached. You can see the ping request coming in
inside the ESP packet, It is then decrypted and appears in the interface. But you
cannot see the ping reply coming into the interface. You see only its encrypted

One can see only what is coming in the router from the tunnel. What goes out to
tunnel is not visible. Even if it is generated at internal LAN. It may pose to
be a problem to bandwidth control as well.

Any Ideas? 



More information about the Users mailing list