[Openswan Users] ipsec0 dropped packets
Marco Berizzi
pupilla at hotmail.com
Tue Jan 3 14:47:10 CET 2006
Paul Wouters wrote:
>On Mon, 2 Jan 2006, Marco Berizzi wrote:
>
> > I would like to understand why I see dropped packets on ipsec0
>(especially on
> > TX
> > counter). What kind of log should I watch/enable? The others interface
>are
> > fine:
> > no collisions, no dropped packets.
>
>Try enabling klipsdebug ?
I have enabled klipsdebug=all, and I have found why I see dropped TX packets
on ipsec0 interface.
This is my network diagram:
---priv1_net---|swan1 box|---eth0_pub_ip-*internet*-pub_ip_eth0---|swan2
box|---priv2_net
I'm pinging a non-existent system on the priv1_net from a priv2_net host and
the swan1
box is generating an icmp host unreachable packet with source IP=eth0_pub_ip
and
destination IP=priv2_net host. This packet is then routed through ipsec0 and
it is
dropped by KLIPS. I don't understand why the linux box is generating the
icmp packet
with source ip=eth0_pub and not with the priv1_net ip assigned to itself (on
eth1). Is this
the correct behaviour? What should I do to have the icmp unreach response
back to the
original client on the priv2_net (if possible)?
TIA
More information about the Users
mailing list