[Openswan Users] OpenSwan won't Encapsulate my Packets

Markus Ewald cygon at nuclex.org
Thu Dec 9 04:25:19 EST 2010

  On 12/9/2010 2:51 AM, Paul Wouters wrote:
> On Thu, 9 Dec 2010, Markus Ewald wrote:
>>> Usually a NAT or firewall issue
>> How can I debug this?
> By temporarilly disabling it?
Already attempted that, no change in behavior.

>>> If using NETKEY, your tcpdump will not be able to see outgoing 
>>> encrypted
>>> packets.
>> How can I find out? I grepped my kernel .config, but neither klips or 
>> netkey appear in it.
> ipsec --version (when openswan is running)
Checked. Yes I'm using netkey. But see the next paragraph...

>> Still, if the second tcpdump command prints the packet, that means 
>> they're not being picked up by OpenSwan or am I mistaken here?
> second tcpdump? With netkey you dont see the outgoing encrypted packets.
second tcpdump *command*. I posted two tcpdump command lines:
- The first captured all ah, esp and udp port 500/4500 packets. Nothing 
popped up there.
- The second captured all icmp packets leaving ppp0. What that I watched 
pings to travel unencapsulated to my ISP.

My interpretation of that observation is that OpenSwan doesn't capture 
and encapsulate the packets for some reason.

> Paul


More information about the Users mailing list