[Openswan Users] retransmission in tunnel mode
rcwhelan at gmail.com
Wed Jul 20 17:44:32 EDT 2011
I've setup a GRE tunnel between 2 linux machines and when trying to
protect the GRE packets with openswan, I'm seeing a secured and an
unsecured transmission for the same packet.
Here is a tcpdump of what I'm trying to articulate. This is a single
ICMP ping over the tunnel.
17:30:27.039472 IP hostA.example.com > hostB.example.com:
ESP(spi=0x03379b07,seq=0x17), length 148
17:30:27.039472 IP hostA.example.com > hostB.example.com: GREv0,
length 88: IP 172.31.255.254 > 172.31.255.255: ICMP echo request, id
50202, seq 1, length 64
17:30:27.039684 IP hostB.example.com > hostA.example.com:
ESP(spi=0xeb49ccb5,seq=0x17), length 148
You can see the first packet is encrypted, but it is retransmitted a
second time unprotected. There is only a single response however.
This behaviour is the same going in both directions, the sender sends
2 packets. One encrypted, one not.
here is my ipsec.conf:
What am I doing wrong? This does not happen if I use transport mode
and I don't have any private subnets configured because I will have
some dynamic routing daemons doing all the routing (the routes behind
the these machines will change frequently)
More information about the Users