[Openswan Users] Packet has no Non-ESP marker

Gerhard Massenbichler gerhard at massenbichler.de
Mon Jan 22 17:02:19 EST 2007


Hi Sergey,

here is my config. But there is no "compress=yes":

======================schnipp=========================================
version 2.0

conn %default
        compress=no
        authby=rsasig
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        type=tunnel

config setup
    # ...Existing parameters
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.3.0/24

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

conn IPSEC-PLAIN-EXT
        type=tunnel
        pfs=yes
        compress=no
        rekey=no
        keyingtries=3
        leftcert=xyz.pem
        # equal to left=%defaultroute
        # left = 192.168.3.1
        # leftnexthop=192.168.3.2
        left=%defaultroute
        right = %any
        rightsubnet=vhost:%no,%priv
        auto = add

===============schnapp=======================================

I traced some Packets:
Ping with 73 Bytes work, traced with TCPDump (Ping initiated from
serverside):
04:29:24.562408 IP 192.168.3.1.4500 > 84.147.102.104.4500: UDP-encap:
ESP(spi=0xef9e1918,seq=0x242), length 212
        0x0000:  4500 00f0 2d2d 4000 4011 8e2b c0a8 0301
        0x0010:  5493 6668 1194 1194 00dc 0000 ef9e 1918
        0x0020:  0000 0242 4e27 5fd1 9523 42a5 4950 983f
        0x0030:  6da5 8605 fb51 3cc3 195f c9d3 9599 a54e
        0x0040:  c302 bdb9 95c9 0209 02a5 eaff fcee 319c
        0x0050:  4800
04:29:25.385770 IP 84.147.102.104.4500 > 192.168.3.1.4500: UDP-encap:
ESP(spi=0xb7914ca5,seq=0x216), length 212
        0x0000:  4560 00f0 394b 0000 7e11 83ad 5493 6668
        0x0010:  c0a8 0301 1194 1194 00dc 0000 b791 4ca5
        0x0020:  0000 0216 dd53 7171 d660 3293 7923 6f1e
        0x0030:  0d3e 9309 4183 50fc 2a5f 6528 f4e7 7ddc
        0x0040:  b427 ed64 6380 1ccd accc 37fc 8e34 d507
        0x0050:  5e5f

Ping with 74 Bytes (or more) fail with "packet
from xyz:4500: recvfrom xyz:4500 has no Non-ESP
marker", traced with TCPDump (Ping initiated
from serverside):
04:32:13.372804 IP 192.168.3.1.4500 > 84.147.102.104.4500: UDP-encap:
ESP(spi=0xef9e1918,seq=0x25b), length 220
        0x0000:  4500 00f8 0000 4000 4011 bb50 c0a8 0301
        0x0010:  5493 6668 1194 1194 00e4 0000 ef9e 1918
        0x0020:  0000 025b bdb0 c7c9 b43b 99f2 b437 bee9
        0x0030:  116e 6be6 7ee9 8eb3 c672 3c19 5758 57d8
        0x0040:  cad9 9812 8a1c cfce 0317 a450 d12b 59bb
        0x0050:  99ad
04:32:13.952382 IP 84.147.102.104.4500 > 192.168.3.1.4500: UDP-encap:
ESP(spi=0xb7914ca5,seq=0x231), length 220
        0x0000:  4560 00f8 884b 0000 7e11 34a5 5493 6668
        0x0010:  c0a8 0301 1194 1194 00e4 0000 b791 4ca5
        0x0020:  0000 0231 012f 2ee4 4483 c426 83ea d479
        0x0030:  b4a1 aa97 98f6 2206 65c7 face 3903 b84b
        0x0040:  7d3d 8e7b aed9 a596 61a8 5022 84b0 5d0f
        0x0050:  0e4d

Thanks for your help.

Best regards,
Gerhard

Mo, 22.01.2007, 09:12, Sergey V. Stenkin wrote:
> Hi, Gerhard.
>
> You wrote:
>
>> Ping with less/equal than 73 bytes work fine. But ping with more then 73
>> bytes will fail. The pluto-logs shwo the following line for every ping:
>> "pluto[2711]: packet from 84.102.104.147:4500: recvfrom
>> 84.102.104.147:4500 has no Non-ESP marker".
>
>> Does anyone know a solution for this problem?
>
>> I use OpenVPN over IPsec (OpenVPN only cause of ethernetbriding...)
>
>> Thanks a lot.
>
>> Gerhard
>
> You use "compress = yes" in ipsec.conf?
>
>
> Best regards,
> Sergey Stenkin
>
>



More information about the Users mailing list