[Openswan Users] NETKEY/KLIPS (was Re: Is OpenSwan 2.6.33 supporting kernel 2.4?)

Paul Wouters paul at xelerance.com
Sun Feb 27 10:58:26 EST 2011

On Wed, 23 Feb 2011, Michael Smith wrote:

> With NETKEY it's the unencrypted transmit packet that is not shown in
> tcpdump.

No, it is the outgoing encrypted packet that does not show.

> My other beef with NETKEY is that the reverse path filter
> (rp_filter/martian logging) applies to packets after decryption.

rp_filter in general is terrible with ipsec, not just netkey, but also
with klips and/or mast.

Worse, we had cases where turning it off via sysctl.conf did not help,
and we had to run it in _updonw for a while before we hacked some stuff
in the stack to work around this.


More information about the Users mailing list