[Openswan Users] Sending traffic to IPsec tunnel

Paul Wouters paul at xelerance.com
Wed Sep 30 23:32:26 EDT 2009


On Wed, 30 Sep 2009, António Fernandes wrote:

> b) I try to ping a host on the BLan, but when tcpdump the external interface i still see regular icmp packets with
> no tunneling!

If you are using NETKEY, that is "normal" as the IPsec encryption happens
after tcpdump sees the packet. This is not our design :P

> My question is: Because that type of configuration doesn't create a thing like an ipsec0 device, how to assure the
> traffic is directed to ipsec tunnel?

You do not need to assure it in that sense. With KLIPS you needed to
route it into an ipsecX device so that it reached the KLIPS code. With
NETKEY, advanced magic handles that for you. Unfortunately, the magic
has the above mentioned limitation.

To confirm ipsec outgoing ipsec packets, check the other end for incoming ipsec packets.
If the incoming end is Linux (with NETKEY, not KLIPS) then you should
see the incoming packet twice with tcdpump. Once encrypted and once
decrypted.

With KLIPS, its all easier and more obvious. ethX sees encrypted packets in
and out, and ipsecX sees decrypted packets in and out. That is our design :P

Paul


More information about the Users mailing list