[Openswan Users] Forcing UDP Encapsulation in Tunnel Mode

Shasi Thati shasi.thati at gmail.com
Tue Feb 17 18:55:11 EST 2009 

Hi,
I am using OpenSwan to test my crypto driver that provides IPSec offload. I
have a very basic tunnel set up as shown below. I am primarily trying to
test UDP Encapsulation through this tunnel although I do not have a NAT
device on either side of the tunnel. The problem I am having is that with
the following ipsec.conf ( with nat_traversal=yes and forceencaps = yes), I
only see ESP Packets but not UDP Encapsulated packets.


  (directly connected)
10.66.21.166 -----
10.66.21.164(eth0)---192.168.1.100(eth1)<========>192.168.2.100(eth1)—10.66.12.185(eth0)-------10.66.12.186
Machine : A                        Machine: B
                                 Machine: C
 Machine: D

This is my current ipsec.conf
# /etc/ipsec.conf

version 2.0
#config setup
config setup
  interfaces=%defaultroute
  protostack=netkey
  klipsdebug=none
  plutodebug=all
  nat_traversal=yes

#Simple Host to Host Connection
conn tunnel-to-tunnel
  type=tunnel
  forceencaps=yes
  left=192.168.1.100
  leftsubnet=10.66.21.0/24
  leftrsasigkey=<right key>
  right=192.168.2.100
  rightsubnet=10.66.12.0/24
  rightrsasigkey=<left key>
  keyingtries=1
  auto=add

# ipsec --version
ipsec --version
Linux Openswan U2.5.17/K2.6.27 (netkey)

When I run pluto I get the following output,

pluto[1944]: Starting Pluto (Openswan Version 2.5.17; Vendor ID
OEztC{yJaHh[) pid:1944
pluto[1944]: Setting NAT-Traversal port-4500 floating to off
pluto[1944]: port floating activation criteria nat_t=0/port_float=1
pluto[1944]: including NAT-Traversal patch (Version 0.6c) [disabled]
pluto[1944]: using /dev/urandom as source of random entropy
pluto[1944]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
(ret=0)
pluto[1944]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
(ret=0)
pluto[1944]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
(ret=0)
pluto[1944]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[1944]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok
(ret=0)
pluto[1944]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
pluto[1944]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
pluto[1944]: starting up 1 cryptographic helpers
pluto[1945]: using /dev/urandom as source of random entropy
pluto[1944]: started helper pid=1945 (fd:6)
pluto[1944]: Using Linux 2.6 IPsec interface code on 2.6.27 (experimental
code)

I am not sure what could be missing in the ipsec.conf file or for any other
configurtaion which I missed. I would really appreciate any suggestions on
this issue.

Thanks,
Shasi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090217/592c39f2/attachment.html

More information about the Users mailing list