[Openswan Users] IPsec packets sent on wrong interface with OpenVZ host

Paul Wouters paul at xelerance.com
Thu Jun 19 09:20:00 EDT 2008

On Thu, 19 Jun 2008, Marcus Better wrote:

> I'm running OpenSWAN on the VZ host node to provide tunnels to some virtual environments (VEs) on a common internal subnet. The VEs are connected with veth devices that are bridged together to br0 on the host side. The IPsec tunnel is correctly established, but response traffic from the VE is being sent out on br0, not the external interface eth0.

> [host:~]# tcpdump -i br0
> 10:31:43.238582 IP > ICMP echo request, id 9274, seq 40, length 64
> 10:31:43.238617 IP server.example.org.4500 > client.example.org.4500: UDP-encap: ESP(spi=0xeee72df0,seq=0x35c), length 132
> 10:31:44.230477 IP > ICMP echo request, id 9274, seq 41, length 64
> 10:31:44.230509 IP server.example.org.4500 > client.example.org.4500: UDP-encap: ESP(spi=0xeee72df0,seq=0x35d), length 132
> Here the packets destined for client.example.org are only seen on br0, not on the external interface. I have forwarding enabled on both br0 and eth0.

This looks like you are using netkey. Can you run ipsec verify and see
if you have properly disabled sendinf redirects. Netkey can get confused
about interfaces sometimes.


More information about the Users mailing list