[Openswan Users] question about conn host-to-host or host-to-network

Christophe LAUVERNIER christophe.lauvernier at wanadoo.fr
Mon Oct 6 08:15:35 EDT 2008


I'm trying to make a tunnel between two linux on the same lan (kernel and openswan 2.6.16) with PSK. -----------------

My /etc/ipsec.conf on the host

conn client-to-concentrateur
        left=              # left = local & right = remote
        right=%any                      # wildcard, don't know ip address

conn linux-to-linux

When i start the connection the tunnel seems to be on
ipsec whack --status

000 "linux-to-linux":     myip=unset; hisip=unset;
000 "linux-to-linux":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "linux-to-linux":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: 
000 "linux-to-linux":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "linux-to-linux":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 #2: "linux-to-linux":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 25138s; newest IPSEC; eroute owner; 
isakmp#1; idle; import:admin initiate
000 #2: "linux-to-linux" esp.6e2045d2 at 
esp.b7de7312 at tun.0 at tun.0 at 
ref=0 refhim=4294901761
000 #1: "linux-to-linux":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 151s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); 
idle; import:admin initiate

but when i start : service ipsec status there are no tunnels up

[root at brennsecure etc]# service ipsec status
IPsec running  - pluto pid: 1277
pluto pid 1277
No tunnels up
[root at brennsecure etc]#

When i ping from i saw ESP packet but also 
icmp packets.

[root at brennsecure etc]# tcpdump -i eth0 -p esp or -p icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:03:51.223691 IP > 
ESP(spi=0xb7de7312,seq=0x1b), length 132
20:03:51.320544 IP > ICMP echo request, 
id 53517, seq 19, length 64
20:03:51.320600 IP > 
ESP(spi=0x6e2045d2,seq=0x1b), length 132
20:03:52.223686 IP > 
ESP(spi=0xb7de7312,seq=0x1c), length 132
20:03:52.223686 IP > ICMP echo request, 
id 53517, seq 20, length 64
20:03:52.223740 IP > 
ESP(spi=0x6e2045d2,seq=0x1c), length 132
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root at brennsecure etc]#

I have the same thing when i start a tunnel from a XP client and 
shrewsoft VPN (conn roadwarrior). The tunnel is up between the XP Client 
and the VPN interface with IP in order to access to the 


ESP packets are OK but there are ICMP echo REQUEST too.

I have two questions:

Is the command "service ipsec status" always operationnal or must i use 
" ipsec whack --status"
Why the icmp echo request use the tunnel and the network interface too ? 
What's wrong in my config ?


More information about the Users mailing list