[strongSwan] Packets not being encapsulated
Andreas Steffen
andreas.steffen at strongswan.org
Wed Mar 23 18:47:26 CET 2011
The forceencaps=yes parameter is ignored by the IKEv1 daemon
and applies to IKEv2 only. Because of the NAT router in between
ESP is encapsulated in UDP anyway:
root at granville:~# ip xfrm state
src 192.168.16.2 dst BRIGHTON_PUB_IP
proto esp spi 0x295edd15 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x0ba38e23a79f79f7f96690d2d166b315f60b60bb
enc cbc(aes) 0xdf238a47bb128a41d94f60452411cd26
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
^^^^^^^
Regards
Andreas
On 23.03.2011 18:35, Alexis Salinas wrote:
> Hi Russ,
> I noticed you are using 'forceencaps=yes', so I think your traffic will not be ESP but UDP port 4500.
> Do you see any of those packets?+
> Cheers,
> Alexis
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list