[Openswan Users] ipsec0 dropped packets

Marco Berizzi pupilla at hotmail.com
Tue Jan 3 14:47:10 CET 2006

Paul Wouters wrote:

>On Mon, 2 Jan 2006, Marco Berizzi wrote:
> > I would like to understand why I see dropped packets on ipsec0 
>(especially on
> > TX
> > counter). What kind of log should I watch/enable? The others interface 
> > fine:
> > no collisions, no dropped packets.
>Try enabling klipsdebug ?

I have enabled klipsdebug=all, and I have found why I see dropped TX packets
on ipsec0 interface.
This is my network diagram:

---priv1_net---|swan1 box|---eth0_pub_ip-*internet*-pub_ip_eth0---|swan2 

I'm pinging a non-existent system on the priv1_net from a priv2_net host and 
the swan1
box is generating an icmp host unreachable packet with source IP=eth0_pub_ip 
destination IP=priv2_net host. This packet is then routed through ipsec0 and 
it is
dropped by KLIPS. I don't understand why the linux box is generating the 
icmp packet
with source ip=eth0_pub and not with the priv1_net ip assigned to itself (on 
eth1). Is this
the correct behaviour? What should I do to have the icmp unreach response 
back to the
original client on the priv2_net (if possible)?


More information about the Users mailing list