<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>On Jun 22, 2012, at 1:13 AM, Martin Willi wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hi Ricky,<br><br><blockquote type="cite">[...] saying that ipsec devices are no more in > 2.6.16. Is that true?<br></blockquote><br>Yes. The native Linux IPsec stack (Netkey) doesn't use dedicated<br>interfaces, but handles packet en-/decapsulation transparently in the IP<br>stack.<br><font class="Apple-style-span" color="#006312">[…]</font></div></blockquote><br></div><div>Thanks Martin.</div><div><br></div><div>In the setup below: </div><div><div>[ subnet 1 ] --- [ gateway1 ] === [ gateway 2] --- [ subnet 2 ]</div><div>[ 192.168.254.0/24] --- [br0 192.168.254.99 | eth2 99.33.170.155 ] ===== [ eth3 75.11.172.226 | br0 192.168.250.99] --- [ 192.168.250.0/24 ]</div><div><br></div><div>When I ping from subnet 1 to subnet2, and tcpdump on GW1's eth2 device, I should see ESP packets leaving GW1, correct?</div><div><br></div><div>But I am running into the problem of packets leaving GW1 with ping packet showing subnet2 as the destination, e.g.,</div><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>23:10:23.806822 IP 99.33.170.155 > 192.168.250.99: ICMP echo request, id 63768, seq 1, length 64</div><div><br></div><div><a href="https://lists.strongswan.org/pipermail/users/2012-June/007728.html">https://lists.strongswan.org/pipermail/users/2012-June/007728.html</a></div><div><br></div><br class="Apple-interchange-newline"><br></div></div><br></body></html>