[Openswan Users] VPN one way encryption

Paul Wouters paul at xelerance.com
Tue Apr 21 10:09:54 EDT 2009


On Tue, 21 Apr 2009, Bram H wrote:

> Ok, I will clearify the the setup. I have an UMTS modem, which will receive a new IP adres every 24 hours. This
> modem is connected to a gateway machine. Berhind the gateway machine there are 2 other PC's. The gateway has IP
> addres 10.0.1.1, de PC's have 10.0.1.10 and 10.0.1.11. For both PC's the default gateway is 10.0.1.1. Besides that,
> I have one central machine where the roadwarrior network should connect to.
> 
> From the central server I can ping to 10.0.1.11 for example, I see esp packages when using tcpdump. when I ping from
> 10.0.1.1 to the central server, I see plain ICMP packages.

If using netkey that is "normal" (where normal is defined by the linux kernel hackers, not me)
The packets get encrypted after tcpdump can "see" them. Verify on the remote end to see
if you actually got plaintext (or no) packets or encrypted packets.

In some kernel versions, there is a hack to see things better. If eth0 is your external
interface, do:

ifconfig eth0:hack
tcpdump -i eth0:hack -n

If you are really getting one way encryption, then usually it is because your routing is
assymetric.

Paul


More information about the Users mailing list