[Openswan Users] OpenSwan 2.4.0 NETKEY implementation

Ethy H. Brito ethy.brito at inexo.com.br
Wed Oct 5 09:46:06 CEST 2005


Dears

I see one incovenience with NETKEY implementation: it is not possible to correctly
filter packets that passes thru the tunnel. Please correct me if I'm wrong.

I 'ping' from one side to the other and got this:

08:26:49.686127 IP 200.231.48.39 > 200.231.48.37: ESP(spi=0x138babe7,seq=0x445)
08:26:49.686127 IP 10.0.0.2 > 10.1.0.1: icmp 64: echo request seq 57603
08:26:49.686358 IP 200.231.48.37 > 200.231.48.39: ESP(spi=0xd05eb45a,seq=0x441)


08:26:50.686147 IP 200.231.48.39 > 200.231.48.37: ESP(spi=0x138babe7,seq=0x446)
08:26:50.686147 IP 10.0.0.2 > 10.1.0.1: icmp 64: echo request seq 57859
08::26:50.686379 IP 200.231.48.37 > 200.231.48.39: ESP(spi=0xd05eb45a,seq=0x442)

As you can see, the packets that are encrypted does not appear in the output
interface where the tunnel is attached. You can see the ping request coming in
inside the ESP packet, It is then decrypted and appears in the interface. But you
cannot see the ping reply coming into the interface. You see only its encrypted
form.

One can see only what is coming in the router from the tunnel. What goes out to
tunnel is not visible. Even if it is generated at internal LAN. It may pose to
be a problem to bandwidth control as well.

Any Ideas? 

Regards

Ethy


More information about the Users mailing list