[strongSwan-dev] Strongswan can't work for some msgs in my case, such as SCTP INIT msg.
martin at strongswan.org
Mon Jun 3 09:03:32 CEST 2013
> we have some SCTP msgs, such as INIT msg from the femto to the core
> network 192.168.111.9, they doesn't go through the IPsec tunnel.
> but I don't know the mechanism of strongswan, what had been done on
> the network layer by strongswan?
strongSwan installs the negotiated IPsec policies and SAs to the kernel.
The kernel then takes care to encrypt/decrypt matching traffic.
As this works for some traffic, but not for SCTP, this looks like an
issue with the kernel.
> Status of IKE charon daemon (strongSwan 5.0.1, Linux 2.6.18-308.8.1.el5, i686):
2.6.18 is very old, and there have been some issues with SCTP and IPsec.
I'd try a newer kernel, or if this is not possible, check with your
distributor the state of SCTP and its use with IPsec in that kernel.
More information about the Dev