[Openswan Users] Packet has no Non-ESP marker

Stefan Denker Stefan at dn-kr.de
Tue Nov 14 05:09:23 EST 2006 

On Mon, Nov 13, 2006 at 09:11:18PM +0100, Paul Wouters wrote:
>> Nov 13 11:11:25 seikan pluto[1825]: packet from 87.78.98.213:4500: recvfrom 87.78.98.213:4500 has no Non-ESP marker
>> Nov 13 11:11:56 seikan last message repeated 7 times
>> What is this "Non-ESP marker"?
> When IKE packets arrive on port-4500, they are ESP-UDP encapsulated.
> This means that they really have an ESP header after ther UDP packet.
> If the SPI# of the ESP header is 0, then it's an IKE packet.
> That's the "non-ESP marker"

So I guess something arrives on Port 4500 with no SPI# et al, so there
is no such marker... 

> Perhaps you are DNAT'ing IKE packets?

Well, the Windows Machine is behind NAT, but this shouldn't affect it,
should it? I've configured no NAT on the Windows machine... AFAIK. I am
no expert on M$-Software. 

Setup looks like this: 

Daniel        Dagobert             Seikan     
WinXP========NAT-Router========OpenSwan/netkey----Office Network
                                  xl2tpd 1.04

I don't know if it matters, but Dagobert is an openswan gateway, too.

Here is Dagoberts NAT-Table - ferm syntax, but it should be fairly
readable. 

,--------[/etc/ferm/rules.d/03-nat]---------
| table nat {
|     chain PREROUTING {
| 	interface %EXT_IF proto tcp {
|             dport 487 DNAT to %SERVER;
|         }
|     }
| 
|     chain vpns {
|         # Accept packets to all vpns
|         daddr 192.168.0.0/24 ACCEPT;
|     }
| 
|     chain POSTROUTING {
|         saddr 192.168.24.0/24 outerface %EXT_IF {
|             daddr %PRIVATE_NETS {
|                 goto vpns;    # check whether we got a vpn there
|                 DROP;         # drop all other to private nets
|             }
|             MASQ;             # masquerade everything else
|         }
|     }
| 
| }
`---

Any hints how to further analyse this? 

Stefan

-- 
Brick was seated in one of the big troll cells, but in dereference to the fact
that no one could decide if he was a prisoner or not, the door hat been left
unlocked. The understanding was that, provided he didn't try to leave, no one
would stop him leaving. 				[Terry Pratchett - Thud]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20061114/e37b4ad2/attachment.bin

More information about the Users mailing list