[Openswan Users] question about conn host-to-host or host-to-network

Paul Wouters paul at xelerance.com
Mon Oct 6 11:48:05 EDT 2008

On Mon, 6 Oct 2008, Christophe LAUVERNIER wrote:

> When i start the connection the tunnel seems to be on
> ipsec whack --status

> 000 #2: "linux-to-linux" esp.6e2045d2 at
> esp.b7de7312 at tun.0 at tun.0 at
> ref=0 refhim=4294901761

It's up (though the refhim number is kinda odd, but harmless)

> but when i start : service ipsec status there are no tunnels up
> [root at brennsecure etc]# service ipsec status
> IPsec running  - pluto pid: 1277
> pluto pid 1277
> No tunnels up
> [root at brennsecure etc]#

that command might not very well on netkey. instead try:

ip xfrm state

> When i ping from i saw ESP packet but also
> icmp packets.

That's normal for NETKEY. A trick John Denker recently gave to see the
encrypted packets is to add a fake alias to the device and sniff there:
In your case:

> [root at brennsecure etc]# tcpdump -i eth0 -p esp or -p icmp

ifconfig eth0:fake
tcpdump -n -i eth0:fake

You will then both encrypted and decrypted traffic.


More information about the Users mailing list