[Openswan Users] retransmission in tunnel mode

Wed Jul 20 17:44:32 EDT 2011

I've setup a GRE tunnel between 2 linux machines and when trying to
protect the GRE packets with openswan, I'm seeing a secured and an
unsecured transmission for the same packet.

Here is a tcpdump of what I'm trying to articulate. This is a single
ICMP ping over the tunnel.

17:30:27.039472 IP hostA.example.com > hostB.example.com:
ESP(spi=0x03379b07,seq=0x17), length 148
17:30:27.039472 IP hostA.example.com > hostB.example.com: GREv0,
length 88: IP 172.31.255.254 > 172.31.255.255: ICMP echo request, id
50202, seq 1, length 64
17:30:27.039684 IP hostB.example.com > hostA.example.com:
ESP(spi=0xeb49ccb5,seq=0x17), length 148

You can see the first packet is encrypted, but it is retransmitted a
second time unprotected.  There is only a single response however.
This behaviour is the same going in both directions, the sender sends
2 packets. One encrypted, one not.

here is my ipsec.conf:

version 2.0
# defaults
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        nhelpers=0

conn ca-nj
        leftprotoport=47/0
        rightprotoport=47/0
        left=1.1.1.1
        leftid=@1-1-1-1.fqdn
        leftrsasigkey=0sAQO0Z......
        right=2.2.2.2
        rightid=@2-2-2-2.fqdn
        rightrsasigkey=0sAQO1.......
        auto=start

What am I doing wrong?  This does not happen if I use transport mode
and I don't have any private subnets configured because I will have
some dynamic routing daemons doing all the routing (the routes behind
the these machines will change frequently)

Thanks