[Openswan Users] OpenSwan 2.4.0 NETKEY implementation

Paul Wouters paul at xelerance.com
Wed Oct 5 18:56:37 CEST 2005


On Wed, 5 Oct 2005, Ethy H. Brito wrote:

> I see one incovenience with NETKEY implementation: it is not possible to correctly
> filter packets that passes thru the tunnel. Please correct me if I'm wrong.

See the archive for various solutions, including using the iptables MARK facility.

Paul

> I 'ping' from one side to the other and got this:
>
> 08:26:49.686127 IP 200.231.48.39 > 200.231.48.37: ESP(spi=0x138babe7,seq=0x445)
> 08:26:49.686127 IP 10.0.0.2 > 10.1.0.1: icmp 64: echo request seq 57603
> 08:26:49.686358 IP 200.231.48.37 > 200.231.48.39: ESP(spi=0xd05eb45a,seq=0x441)
>
>
> 08:26:50.686147 IP 200.231.48.39 > 200.231.48.37: ESP(spi=0x138babe7,seq=0x446)
> 08:26:50.686147 IP 10.0.0.2 > 10.1.0.1: icmp 64: echo request seq 57859
> 08::26:50.686379 IP 200.231.48.37 > 200.231.48.39: ESP(spi=0xd05eb45a,seq=0x442)
>
> As you can see, the packets that are encrypted does not appear in the output
> interface where the tunnel is attached. You can see the ping request coming in
> inside the ESP packet, It is then decrypted and appears in the interface. But you
> cannot see the ping reply coming into the interface. You see only its encrypted
> form.
>
> One can see only what is coming in the router from the tunnel. What goes out to
> tunnel is not visible. Even if it is generated at internal LAN. It may pose to
> be a problem to bandwidth control as well.
>
> Any Ideas?
>
> Regards
>
> Ethy
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

-- 

"Happiness is never grand"

 	--- Mustapha Mond, World Controller (Brave New World)


More information about the Users mailing list