[strongSwan-dev] Strongswan can't work for some msgs in my case, such as SCTP INIT msg.

Martin Willi martin at strongswan.org
Mon Jun 3 09:03:32 CEST 2013


Hi,

> we have some SCTP msgs, such as INIT msg from the femto to the core
> network 192.168.111.9, they doesn't go through the IPsec tunnel.

> but I don't know the mechanism of strongswan, what had been done on
> the network layer by strongswan?

strongSwan installs the negotiated IPsec policies and SAs to the kernel.
The kernel then takes care to encrypt/decrypt matching traffic.

As this works for some traffic, but not for SCTP, this looks like an
issue with the kernel. 

> Status of IKE charon daemon (strongSwan 5.0.1, Linux 2.6.18-308.8.1.el5, i686):

2.6.18 is very old, and there have been some issues with SCTP and IPsec.
I'd try a newer kernel, or if this is not possible, check with your
distributor the state of SCTP and its use with IPsec in that kernel.

Regards
Martin





More information about the Dev mailing list