[Openswan Users] NETKEY/KLIPS (was Re: Is OpenSwan 2.6.33 supporting kernel 2.4?)
Paul Wouters
paul at xelerance.com
Sun Feb 27 10:58:26 EST 2011
On Wed, 23 Feb 2011, Michael Smith wrote:
> With NETKEY it's the unencrypted transmit packet that is not shown in
> tcpdump.
No, it is the outgoing encrypted packet that does not show.
> My other beef with NETKEY is that the reverse path filter
> (rp_filter/martian logging) applies to packets after decryption.
rp_filter in general is terrible with ipsec, not just netkey, but also
with klips and/or mast.
Worse, we had cases where turning it off via sysctl.conf did not help,
and we had to run it in _updonw for a while before we hacked some stuff
in the stack to work around this.
Paul
More information about the Users
mailing list