[Openswan Users] retransmission in tunnel mode
Ryan Whelan
rcwhelan at gmail.com
Wed Jul 20 17:44:32 EDT 2011
I've setup a GRE tunnel between 2 linux machines and when trying to
protect the GRE packets with openswan, I'm seeing a secured and an
unsecured transmission for the same packet.
Here is a tcpdump of what I'm trying to articulate. This is a single
ICMP ping over the tunnel.
17:30:27.039472 IP hostA.example.com > hostB.example.com:
ESP(spi=0x03379b07,seq=0x17), length 148
17:30:27.039472 IP hostA.example.com > hostB.example.com: GREv0,
length 88: IP 172.31.255.254 > 172.31.255.255: ICMP echo request, id
50202, seq 1, length 64
17:30:27.039684 IP hostB.example.com > hostA.example.com:
ESP(spi=0xeb49ccb5,seq=0x17), length 148
You can see the first packet is encrypted, but it is retransmitted a
second time unprotected. There is only a single response however.
This behaviour is the same going in both directions, the sender sends
2 packets. One encrypted, one not.
here is my ipsec.conf:
version 2.0
# defaults
config setup
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
nhelpers=0
conn ca-nj
leftprotoport=47/0
rightprotoport=47/0
left=1.1.1.1
leftid=@1-1-1-1.fqdn
leftrsasigkey=0sAQO0Z......
right=2.2.2.2
rightid=@2-2-2-2.fqdn
rightrsasigkey=0sAQO1.......
auto=start
What am I doing wrong? This does not happen if I use transport mode
and I don't have any private subnets configured because I will have
some dynamic routing daemons doing all the routing (the routes behind
the these machines will change frequently)
Thanks
More information about the Users
mailing list