[Openswan Users] Openswan not encapsulating packets.

Daniele Melosi Mailing2004 at melosi.it
Tue May 23 16:18:12 CEST 2006

Leonardo Piras wrote:
> Hi there everyone, 
> i have a problem which is causing me some headache:
> here is my ipsec.conf
> # DADA - Infoblu
> conn dada-infoblu
>     authby=secret
>     left=
>     leftsubnet=
>     leftnexthop=%defaultroute
>     right=
>     rightsubnet=
>     pfs=yes
>     auto=start


> tiglio:~# tcpdump -i any host or
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 96
> bytes
> 12:19:36.336614 IP > icmp 64: echo request seq
> 1
> 12:19:36.340207 IP tiglio.softecspa.it > icmp 64: echo
> request seq 1

You're trying to ping from an incorrect src ip address (, you 
should use a address), IPSEC doesn't recognize the src 
ip address in the tunnel. You have 2 solutions:

1) change leftsubnet=, or arternatively;
2) ping from a differente src ip address (a address)

> As you can see, i can only see clear text pings from one host to the
> other.
> Openswan is not encapsulating packets and it's not sending them through
> the ipsec tunnel.

openswan is not encapsulating packets because you don't tell him to 
encapsulate (it expected packet from network and you're 
sending packet from

And do not masq or nat packets to be tunneled (if on the server you are 
using ip masq or nat you must exempt the packets you wish to tunnel (as 
you can read in openswan wiki).

Daniele Melosi

More information about the Users mailing list