[Openswan Users] Packet has no Non-ESP marker
Gerhard Massenbichler
gerhard at massenbichler.de
Mon Jan 22 17:02:19 EST 2007
Hi Sergey,
here is my config. But there is no "compress=yes":
======================schnipp=========================================
version 2.0
conn %default
compress=no
authby=rsasig
rightrsasigkey=%cert
leftrsasigkey=%cert
type=tunnel
config setup
# ...Existing parameters
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.3.0/24
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn IPSEC-PLAIN-EXT
type=tunnel
pfs=yes
compress=no
rekey=no
keyingtries=3
leftcert=xyz.pem
# equal to left=%defaultroute
# left = 192.168.3.1
# leftnexthop=192.168.3.2
left=%defaultroute
right = %any
rightsubnet=vhost:%no,%priv
auto = add
===============schnapp=======================================
I traced some Packets:
Ping with 73 Bytes work, traced with TCPDump (Ping initiated from
serverside):
04:29:24.562408 IP 192.168.3.1.4500 > 84.147.102.104.4500: UDP-encap:
ESP(spi=0xef9e1918,seq=0x242), length 212
0x0000: 4500 00f0 2d2d 4000 4011 8e2b c0a8 0301
0x0010: 5493 6668 1194 1194 00dc 0000 ef9e 1918
0x0020: 0000 0242 4e27 5fd1 9523 42a5 4950 983f
0x0030: 6da5 8605 fb51 3cc3 195f c9d3 9599 a54e
0x0040: c302 bdb9 95c9 0209 02a5 eaff fcee 319c
0x0050: 4800
04:29:25.385770 IP 84.147.102.104.4500 > 192.168.3.1.4500: UDP-encap:
ESP(spi=0xb7914ca5,seq=0x216), length 212
0x0000: 4560 00f0 394b 0000 7e11 83ad 5493 6668
0x0010: c0a8 0301 1194 1194 00dc 0000 b791 4ca5
0x0020: 0000 0216 dd53 7171 d660 3293 7923 6f1e
0x0030: 0d3e 9309 4183 50fc 2a5f 6528 f4e7 7ddc
0x0040: b427 ed64 6380 1ccd accc 37fc 8e34 d507
0x0050: 5e5f
Ping with 74 Bytes (or more) fail with "packet
from xyz:4500: recvfrom xyz:4500 has no Non-ESP
marker", traced with TCPDump (Ping initiated
from serverside):
04:32:13.372804 IP 192.168.3.1.4500 > 84.147.102.104.4500: UDP-encap:
ESP(spi=0xef9e1918,seq=0x25b), length 220
0x0000: 4500 00f8 0000 4000 4011 bb50 c0a8 0301
0x0010: 5493 6668 1194 1194 00e4 0000 ef9e 1918
0x0020: 0000 025b bdb0 c7c9 b43b 99f2 b437 bee9
0x0030: 116e 6be6 7ee9 8eb3 c672 3c19 5758 57d8
0x0040: cad9 9812 8a1c cfce 0317 a450 d12b 59bb
0x0050: 99ad
04:32:13.952382 IP 84.147.102.104.4500 > 192.168.3.1.4500: UDP-encap:
ESP(spi=0xb7914ca5,seq=0x231), length 220
0x0000: 4560 00f8 884b 0000 7e11 34a5 5493 6668
0x0010: c0a8 0301 1194 1194 00e4 0000 b791 4ca5
0x0020: 0000 0231 012f 2ee4 4483 c426 83ea d479
0x0030: b4a1 aa97 98f6 2206 65c7 face 3903 b84b
0x0040: 7d3d 8e7b aed9 a596 61a8 5022 84b0 5d0f
0x0050: 0e4d
Thanks for your help.
Best regards,
Gerhard
Mo, 22.01.2007, 09:12, Sergey V. Stenkin wrote:
> Hi, Gerhard.
>
> You wrote:
>
>> Ping with less/equal than 73 bytes work fine. But ping with more then 73
>> bytes will fail. The pluto-logs shwo the following line for every ping:
>> "pluto[2711]: packet from 84.102.104.147:4500: recvfrom
>> 84.102.104.147:4500 has no Non-ESP marker".
>
>> Does anyone know a solution for this problem?
>
>> I use OpenVPN over IPsec (OpenVPN only cause of ethernetbriding...)
>
>> Thanks a lot.
>
>> Gerhard
>
> You use "compress = yes" in ipsec.conf?
>
>
> Best regards,
> Sergey Stenkin
>
>
More information about the Users
mailing list