[Openswan Users] retransmission in tunnel mode

Ruben Laban r.laban at ism.nl
Thu Jul 21 02:30:22 EDT 2011


On Wednesday 20 July 2011 at 23:44 (CET), Ryan Whelan wrote:
> I've setup a GRE tunnel between 2 linux machines and when trying to
> protect the GRE packets with openswan, I'm seeing a secured and an
> unsecured transmission for the same packet.
> 
> Here is a tcpdump of what I'm trying to articulate. This is a single
> ICMP ping over the tunnel.
> 
> 17:30:27.039472 IP hostA.example.com > hostB.example.com:
> ESP(spi=0x03379b07,seq=0x17), length 148
> 17:30:27.039472 IP hostA.example.com > hostB.example.com: GREv0,
> length 88: IP 172.31.255.254 > 172.31.255.255: ICMP echo request, id
> 50202, seq 1, length 64
> 17:30:27.039684 IP hostB.example.com > hostA.example.com:
> ESP(spi=0xeb49ccb5,seq=0x17), length 148
> 
> You can see the first packet is encrypted, but it is retransmitted a
> second time unprotected.  There is only a single response however.
> This behaviour is the same going in both directions, the sender sends
> 2 packets. One encrypted, one not.
> 
> here is my ipsec.conf:
> 
> version 2.0
> # defaults
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=
>         oe=off
>         nhelpers=0
> 
> conn ca-nj
>         leftprotoport=47/0
>         rightprotoport=47/0
>         left=1.1.1.1
>         leftid=@1-1-1-1.fqdn
>         leftrsasigkey=0sAQO0Z......
>         right=2.2.2.2
>         rightid=@2-2-2-2.fqdn
>         rightrsasigkey=0sAQO1.......
>         auto=start
> 
> What am I doing wrong?  This does not happen if I use transport mode
> and I don't have any private subnets configured because I will have
> some dynamic routing daemons doing all the routing (the routes behind
> the these machines will change frequently)

Don't trust tcpdump running on the vpn endpoint itself when using the netkey 
stack. If you want to be sure if it gets encrypted or not, check it on an 
upstream router instead.

Regards,
Ruben Laban


More information about the Users mailing list